It's possible I'm not properly deleting PHP sessions when the user signs out. I've noticed that if I sign out and sign back in without closing the browser, the session ID doesn't change but if I sign out, close the browser window, open a new one and sign in, the session ID will be different. Do I need to be doing something different or is this normal behavior? I've been using the same process for three years but something happened recently that made me think that maybe I need to do something different.
Here's what I basically do when someone clicks Sign Out.
<?php
session_start();
if( isSet($_SESSION['FacID']) )
$facID = $_SESSION['FacID']; //Want to re-instate this after we destroy the session.
unset($_SESSION);
session_destroy();
if( isSet($_SESSION['FacID']) )
$_SESSION['FacID'] = $facID;
?>
If you feel the need to force a new id
http://pl.php.net/manual/en/function.session-regenerate-id.php
And to your question, from the manual:
session_destroy() destroys all of the
data associated with the current
session. It does not unset any of the
global variables associated with the
session, or unset the session cookie.
To use the session variables again,
session_start() has to be called.
In order to kill the session
altogether, like to log the user out,
the session id must also be unset. If
a cookie is used to propagate the
session id (default behavior), then
the session cookie must be deleted.
setcookie() may be used for that.
Your session is getting destroyed.
PHP will only generate a session id if the browser isn't specifying one. As long as the session has been destoryed, there is no problems with this.
What's with the massive save-and-destroy? Just session_start and set your variables. No need to destroy, then reset them!
Your "problem" with the browser is that when you close your browser window, your browser is deleting the cookie which PHP sends it so it knows the session ID. This is a browser option and cannot be changed on the server side (unless you exploit). It can be circumvented using some methods, but that's probably not your best option.
Related
hey guys gt into a small problem...I am developing a quiz application ,I need to have a different session for every quiz that is being played...
session_name("random name")
session_start();
this helps me to do the work,but I have got another session being started at login page
I need to destroy the random name session once the quiz is complete
P S:both are two different session
Check the manual on that one: http://php.net/manual/en/function.session-destroy.php
Session_destroy() destroys all of the data associated with the current session. It does not unset any of the global variables associated with the session, or unset the session cookie. To use the session variables again, session_start() has to be called.
In order to kill the session altogether, like to log the user out, the session id must also be unset. If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that.
I believe, that you cannot have two sessions active at the same time. If you need to store your quiz values in the session, then you'll need to prefix their indexes so they are handy and easily destroyed. You could have something like:
$_SESSION['Quiz']['Question1'] = "Yes";
$_SESSION['Quiz']['Question2'] = "No";
then when your finished with the Quiz with
unset($_SESSION['Quiz']);
I am new to PHP. What I do for managing sessions in my code is, simply start session using session_start(). Reading around on web, I came across, session_id and session_name.
What is the use of session_id and session_name. Application based, where can we use session_name and session_id in Php.
How I write my code is:
<?php
session_start();
if(isset($_SESSION['name']))
{
//Render the page.
}
else
{
session_destroy();
//redirect to some simple page.
}
?>
As per my code, where can I use session_id or session_name. Is this a good style to write the code, or should I choose to use session_id and session_name?
Thank you.
The Session name is the name of the cookie/url param stores the session_id. By default when you create a session, a special cookie will be created normally with the name PHPSESSID, the session_id, is the value of that cookie that later identifies you. You can change the default session name by using session_name, but you must call session_name, before session_start. Hope that helps.
EDITED.
Session will send a cookie, to your browser, remember PHP is configured to use COOKIES as session management.
Once the cookie has been created and sent to the browser, then you can access it like any other cookie, if you print_R($_COOKIE), you will see the php session cookie and its value.
The the very minimum, all you need is a call to session_start() , this will start a session for you, it must be called, before any output data is sent to the browser.
For example, this will cause error.
echo "Hello";
session_start();
This is because session_start() must be called before any output to is sent to the browser.
So, why do you need session_name(), simply because it allows you to rename the cookie, as mentioned by default session name is PHPSESSID. Renaming the session lessens the chances of a hacker trying to find a cookie with the name PHPSESSID. Every php developer knows what the default session cookie name is, if I was a hacker, what cookie do you think I will look for first? But this is not a prevention mechanism.
The session_id(), is just to get the id of the session, it is not always used, it is there for convenience but also used if you trying to implement your own session management as PHP does allow you to do this.
In a nutshell, session_name or session_id, is not necessary to start a session. If you have further questions, you can follow me on my google page,
https://plus.google.com/113820735365251703271
and I will be happy to explain further.
I've seen various questions like mine, though none provide the correct answer.
I've a PHP script:
session_start();
setcookie(session_name('DSWLogin'),session_id(),time()+2*7*24*60*60, '/');
//This will only be set once (when the user logs in)
$_SESSION['test'] = 'Yup, I am working';
if (isset($_SESSION['test'])){
echo 'Session is set and ready!';
} else {
echo 'No session was set...';
}
and that all works fine except after a browser restart, my PHP script ignores the session.
When my browser hasn't restarted yet, it'll echo 'Session is set and ready!'; just fine.
And when I look into my cookie tab, it indeed says a cookie, named DSWLogin has been set with a certain value.
When I restart my browser, my cookie tab still says that a cookie, named DSWLogin has been set with the same value it had before the restart, so it is still there!
But my PHP script apparently ignores is, and outputs 'No session was set...'...
Thanks in advance,
Isaiah v. Hunen
What you are trying to do is not really the correct way to achieve this. Sessions have two parts, a cookie with a session id set by default to expire at the end of the session (usually browser close) and a server side storage mechanism that is cleaned up automatically after a certain period of time after the last request was received.
What you are trying to do is extend the session to two weeks. While you could change the cookie settings and increase the timeout to session garbage collection doing this is not very reliable.
Instead you want to look at using a one time key stored in a cookie which acts as an alternate login path. This cookie can recreate the session just like a normal login would. There are some details that need to be considered for this to remain secure, but it will do what you are attempting to achieve.
Just because you are setting your session_id in some cookie doesn't mean it is THE session cookie. Most browsers will purge session cookies on browser close. This is what you are seeing. Look at the cookies in your browser that are set when your session is valid and compare this to the cookies that are still remaining after browser restart. You will notice your true session cookie has gone missing.
Quoting the manual:
The session name is reset to the default value stored in session.name
at request startup time. Thus, you need to call session_name() for
every request (and before session_start() or session_register() are
called).
Also if you want to change lifetime of session cookie, use session_set_cookie_params instead of forcing your own cookie.
Also read about session garbage collection and configuration, changing cookie lifetime might not be enough.
A friend of mine starts his Session this way.
<?php
session_start();
session_regenerate_id();
session_destroy();
unset($_SESSION);
session_start();
?>
Are there any security advantages, against Session hijacking etc.
Just wondering why as against the usual session_start();
All you'd need is
session_start()
session_regenerate_id()
That'll start the session and change its ID on each request. However, this will not prevent session hijacking. If the attacker can get the user's session cookie and sent a request back to the server BEFORE the user can, then the attacker gets a brand new session ID, and the user is left with an invalid session token and is effectively logged out.
If this code is found at the top of every page on a given site, there will be no session that is maintained between post backs and different pages. If you want to use SESSION as server-side storage for data that you're not going to use across post backs or multiple pages then I suppose it may be viable, but that would make for a very odd and most likely poorly developed application.
What it looks like your friend may have been trying to do is wipe out any previous SESSION information and then start a new one. Perhaps he is checking against some quantifier and if it evaluates properly then including this in a PHP page? In any case calling Rocket's functions work better.
This code deletes the session then makes a new empty one each time it's ran.
session_destroy();
unset($_SESSION);
This will remove all data in your session, then session_start will make you a brand new one.
You can run this the 1st time to make a new session, but if you want to have the data in the session on other page loads, you just need session_start.
how we can destroy the session when we click in the close button in my browser..
You can't destroy the session directly. The session garbage collection doesn't work like that. However if your session is using cookies you could set the cookie lifetime to 0 which translates to "destroy cookie when the browser closes". You can do this with
session_set_cookie_params(0)
The session is still there, but the client can no longer access it effectively destroying the session.
On a side note this will only work if all instances of the browser close.
You can't in any meaningfull reliable way, that is why we invented session.gc_maxlifetime & garbage collecting.
unset($_SESSION)
- destroys all session variables.
If they have javascript enabled, you can watch for the onUnload event and make an ajax call to a php file that unsets the session variable.
Typically the browser will delete session cookies on exit, and there is no need to do it on the server side.