What's the best way to search if a PHP session has been created on the server?
For example, store the name Joe somewhere in a session, and then after Joe closes his browser, can I then lookup (in a php script elsewhere on my computer) if Joe's session still exists on the server (i.e. not yet expired)?
Session data is usually stored in the server's temporary directory (the session.save_path setting).
While it is theoretically possible to search through that directory, go through every session file, open it, and look for whether it's Joe's session, it's not a clean approach, and there are many ways it can break - for example if the server doesn't give you a list of the files in the temporary directory to start with. Or what if a user has multiple simultaneous active sessions?
If you really need this, you should probably create a custom session handler that stores its data in its own directory or database. For that custom handler, you can then implement an interface that allows you to query whether a certain user is logged in, or a specific session exists.
In the server the check the path set to store sessions in php using directive session.save_path
and then try decode the files in there using session_decode() method
More information can be found in below links
Location of session files
Reading Session Data
Related
I've seen this many times, especially when inspecting (older) browsergame scripts, storing they user sessions in e.g. /project/sessions or /project/tmp. Is there any valid reason not to use the default session save path?
From manual:
Warning
If you leave this set to a world-readable directory, such as /tmp (the
default), other users on the server may be able to hijack sessions by
getting the list of files in that directory.
Also usually the default temporary directory get cleaned on reboot and session data may be lost.
Who creates a session and how does cookie and any role in it?
I was asked this question in a company's interview process and didn't know the answer. I would like to to know which side creates Sessions i.e whether the client side or server side and does cookie has any role in it.
Also how the server understands which session is provided to which client and which user of client if multiple users are logged in?
What’s the difference between a cookie and a session in PHP?
PHP sessions improve upon cookies because they allow web applications to store and retrieve more information than cookies. PHP sessions actually use cookies, but they add more functionality and security.
Sessions store data on the server, not on the browser like cookies
The main difference between a session and a cookie is that session data is stored on the server, whereas cookies store data in the visitor’s browser. Sessions use a session identifier to locate a particular user’s session data. This session identifier is normally stored in the user’s web browser in a cookie, but the sensitive data that needs to be more secure — like the user’s ID, name, etc. — will always stay on the server.
Sessions are more secure than cookies
So, why exactly should we use sessions when cookies work just fine? Well, as we already mentioned, sessions are more secure because the relevant information is stored on the server and not sent back and forth between the client and server. The second reason is that some users either turn off cookies or reject them. In that scenario, sessions, while designed to work with a cookie, can actually work without cookies as a workaround, as you can read about here: Can PHP sessions work without cookies?.
Sessions need extra space, unlike cookies
PHP sessions, unlike cookies which are just stored on the user’s browser, need a temporary directory on the server where PHP can store the session data. For servers running Unix this isn’t a problem at all, because the /tmp directory is meant to be used for things like this. But, if your server is running Windows and a version of PHP earlier than 4.3.6, then the server will need to be configured – here is what to do: Create a new folder on your Windows server – you can call it something like C:\temp. You want to be sure that every user can read and write to this folder. Then, you will need to edit your php.ini file, and set the value of session.save_path to point to the folder which you created on the Windows server (in this case, that folder is under C:\temp). And finally, you will need to restart your web server so that the changes in the php.ini file take effect.
Sessions must use the session_start function
A very important thing to remember when using sessions is that each page that will use a session must begin by calling the session_start() function. The session_start() function tells PHP to either start a brand new session or access an existing one.
How session_start in PHP uses cookies
The first time the session_start() function is used, it will try to send a cookie with a name of PHPSESSID and a value of something that looks like a30f8670baa8e10a44c878df89a2044b – which is the session identifier that contains 32 hexadecimal letters. Because cookies must be sent before any data is sent to the browser, this also means that session_start must be called before any data is sent to the Web browser.
link-1
link-2
link-3
link-4
The server creates the session and sets the cookie, which is stored in the client's browser. The cookie contains a session identifier (a string of characters) that allows the user to access a particular session on the server. This session identifier corresponds to the session on file.
I'm having an issue with a Symfony2 site. I've got the codebase running on a production server, which is absolutely fine but I'm trying to get another developer started on the project and we're running into issues getting the build up and running. The environments are pretty much identical, the developer is using a Vagrant instance, the same provisioning on that instance was used to provision an EC2 instance on AWS.
When a form is submitted the action goes through and stores values to the session using Symfonys session handler before redirecting to another action which makes up step two of the form. I can see in Xdebug that the values are being added to the global $_SESSION variable, however when I reach the next break point in the second action the $_SESSION variable is missing the content that it had on the previous action. I'm not clearing the session anywhere, and as I said it works fine on production.
It's almost as if Symfony isn't storing session data between page loads, does anybody have any ideas?
Things tried
Adding cookie domain to the config
Setting permissions to 777 (just to test)
PHP Versions are one minor iteration apart (5.4.28-1 vs
5.4.27-1)
I had a similar issue after upgrading from PHP 5.4.27 to PHP 5.4.28, and in my case it was related to this bug: https://bugs.php.net/bug.php?id=66171
Quote from the description:
Second problem: When the session.save_path is a directory that
everyone can write into (like on Debian), even if it's not possible to
find the IDs of existing sessions, a local attacker can just create a
new session file with malicious session data, chmod it to 666 and
access any webapp hosted on the system with the session ID he chose.
The webapp then opens the session file and treats it as if it had
created it. My fix: fstat() the session, check the uid that created
the file. If it's neither the result of getuid() nor uid 0, ignore the
existing file.
They now compare the owner of the session files with the user executing the PHP script, and if the uids do not match, the session file will be ignored.
In my case, the apache user had write access to the session files through group rights, but because the uid did not match, PHP would not load the session files.
Have a look at your session files (you can find the save path in your php.ini file), and make sure the owner of the files match the user attempting to access them.
is it possible and how to pass php session variables i have with a php and apache.
I have a main site with log in option for my users that runs from apache server and I want to use nginx as a chat/communication server that automatically gets all session variables i have in apache/php session without to pass php session id (for security reason). Both servers have a same ip and stais on a same domain. Nginx server will be on subdomain. Already have set php session to work on any sub domain but is this is valid also if I use nginx server.
Any example will be helpful.
Thanks in advanced.
Technically, the php sessions are files, which are usually located somewhere in /tmp. So once you've the session cookie, you can just read and unserialize the file's contents — after checking, it goes without saying, that the session is not expired.
If you need a more convenient format, look at php's session options. I'm quite sure you can serialize it as json for more portability, and there are ways to store sessions in SQL or even memcached.
Where will be the session value will be store in PHP.
For example, cookies will be stored in browser as well as where will be the session value will be store.
thanks in advance...
By default the session values are stored on the filesystem under the PHP directory (on windows at least). You can find the default session location by using the session_save_path function.
You can write your own session handlers to persist session data elsewhere, such as to a database. Look at the session_set_save_handler function for more information.
In PHP, the session values are stored in the server. PHP sessions store only an ID cookie on the user's system which is used to reference the session file on the server. As such, the user has no access to the content of the session file, thereby providing a secure alternative to cookies.
PHP sessions also work when the user has disabled the browser's cookie
support. In this situation it includes the session ID information in the web page URLs.
You can also find some more concepts in the PHP Manual Site.
Another very good knowledge about session is given in this PDF file, which tells about the Session Fixation Vulnerability in Web-based Applications.
Hope it helps.
Under /tmp in a plain text file on Unix like environments.
It is set at php.ini as session.save_path
Its default is /tmp but you can change it
You are able to set the save path yourself using session_save_path.