PHP Session Management Digest

- get this page with a new session
- display it's source code at the bottom of this page
- or visit our home page.

Break reliance on cookies and trans_sid whereever possible. Bottom line, use a form if you can, and change the session_name to conform to xhtml strict standards. If you can not use a form, just enable session.use_trans_sid to satisfy browsers refusing cookies, and markup any headers() you use with the php constant SID. Read on for details. - As of early 2009, using PHP 5 and xhtml 1.0

Session Cookie NOT Received From Your Browser!, yet you have seen this page 1 times.

Current PHP Session name and id

phpsessid = liglh4suh7mhk2f43l4l467p9c

Make a Valid xhtml 1.0 strict Form to Pass the PHP Session ID

Post PHP Session ID from an xhtml 1.0 strict form

  xhtml strict requires - session_name(strtolower(session_name())) (ie. PHPSESSID to phpsessid)

Some PHP Runtime Configurations this Page is Currently Using

- display all current session configs

• session.use_cookies = 1
  • If enabled, session id is read from cookies, and 'use_only_cookies' can be enabled
  • If disabled, cookies are NOT processed, but 'use_only_cookies' can disable 'use_trans_sid'
• session.use_only_cookies = 0
  • If enabled, cookies only can pass session id, use_trans_sid disabled, GET/POST vars not used (URLs and/or form inputs)
  • If disabled & use_cookies enabled, cookies used before GET/POST vars for session id
• session.use_trans_sid = 1
  • if no cookie received, default session module searches html output, according to tags in url_rewriter.tags directive, and rewrites URLs and/or form inputs
• url_rewriter.tags = a=href,area=href,frame=src,input=src,fieldset=
  • list of tags rewritten by session module when use_trans_sid is enabled

4 Methods to Pass, Propagate, or Maintain PHP Session IDs

Session Information

Cookie Have the server remove this cookie

PHP default - No session id above? The server did not receive a cookie from your browser, or the server has been instructed to not use cookies by session.use_cookies disabled. Refresh the page, or look for the $_COOKIE variable at the bottom of the page to see if your browser has disabled session (till browser closes) cookies.

URL with trans_sid - a link rewritten by use_trans_sid, including the "?"

URL rewritten if there is a session and session.use_trans_sid is enabled, but the server will not use it if session.use_only_cookies is also enabled

URL with SID in markup - a link with SID added in markup

This link is appended twice if both, no cookie from the browser and session.use_trans_sid is enabled

Form Inputs -

Preferred over trans_sid for security reasons. If a session is started, session_id() is always available to place in hidden inputs

ASP.NET uses this method by default

Simple Truths About PHP Sessions

SID

the "SID" constant is defined by PHP when a session is started. If a cookie has NOT been received from the browser, SID contains "session_name=session_id." If a session cookie was received it is an empty string. Current SID is "phpsessid=liglh4suh7mhk2f43l4l467p9c"

session_id()

session_id() always returns a string: non-empty if a session is started, or empty if a session is NOT started. This is true whether or not a cookie was received. Current session id is "liglh4suh7mhk2f43l4l467p9c"

Cookies

When a page is first loaded by a browser, or the cookie has expired, PHP will not have recieved a cookie for that page.

Meaning: Cookie based logic has no meaning until subsequent visits.

use_trans_sid (transparent sid)

Might change output html, but NOT how the session module processes GET/POST vars.

Rewrites html: URLs including the '?' and/or adds hidden form elements within html tags listed in the url_rewriter.tags directive, IF a session cookie not sent from browser

Does NOT rewrite URLs in custom headers as in header("Location: http://somewhere.com/somepage.php"). Manually add SID in your markup, ie. header("Location: http://somewhere.com/somepage.php?".SID)

Enable this, to support browsers that refuse cookies. As always with session security, assume the session id is in malicious hands.

use_only_cookies

session.use_only_cookies, overrides use_trans_sid. If NOT disabled, the session module will not look for the session in the $_POST/GET variables.

Forms

Maintain php session with hidden inputs written either by use_trans_sid & url_rewriter.tags, or manually added in html markup

Manual example: <type="hidden" name="<?php echo session_name() ?>" value="<?php echo session_id() ?>" />

Or use_trans_sid enabled & one of two strings in the url_rewriter.tags directive. Use "fieldset=" for xhtml compliance, OR "form=" for other html

If the action page of the form has use_only_cookies disabled, the session module will find the session with or without cookies.

How to Determine if the Browser is Accepting Session Cookies or Not

• Enable use_trans_sid
• Reload the page
• Is the php session_id in the $_COOKIE[] or the $_GET[] array?
• when the browser reloads the above page, check for the existence of $_COOKIE['PHPSESSID']
• if (! isset($_COOKIE['PHPSESSID'])) session cookies are disabled and you can: 1) require the user to enable cookies (how rude!), or 2) have session.use_trans_sid or manually add the session_id to URLs (some risk!), or place the session_name and session_id in a hidden form input (if xhtml strict, also within fieldset tages).

Regenerating SID on the Fly (disabled)

Old Session: liglh4suh7mhk2f43l4l467p9c

To revisit, click here.