PHP Session Management Digest
- get this page with a new session
- display it's source code at the bottom of this page
- or visit our home page.
Break reliance on cookies and trans_sid whereever possible. Bottom line, use a form if you can, and change the session_name to conform to xhtml strict standards. If you can not use a form, just enable session.use_trans_sid to satisfy browsers refusing cookies, and markup any headers() you use with the php constant SID. Read on for details. -
As of early 2009, using PHP 5 and xhtml 1.0
Session Cookie NOT Received From Your Browser!, yet you have seen this page 2 times.
Current PHP Session name and id
phpsessid = re33r0pv16cqjh6b1cp8godjab
Make a Valid xhtml 1.0 strict Form to Pass the PHP Session ID
Some PHP Runtime Configurations this Page is Currently Using
- display all current session configs
- session.use_cookies = 1
- If enabled, session id is read from cookies, and 'use_only_cookies' can be enabled
- If disabled, cookies are NOT processed, but 'use_only_cookies' can disable 'use_trans_sid'
- session.use_only_cookies = 0
- If enabled, cookies only can pass session id, use_trans_sid disabled, GET/POST vars not used (URLs and/or form inputs)
- If disabled & use_cookies enabled, cookies used before GET/POST vars for session id
- session.use_trans_sid = 1
- if no cookie received, default session module searches html output, according to tags in url_rewriter.tags directive, and rewrites URLs and/or form inputs
- url_rewriter.tags = a=href,area=href,frame=src,input=src,fieldset=
- list of tags rewritten by session module when use_trans_sid is enabled
4 Methods to Pass, Propagate, or Maintain PHP Session IDs
Simple Truths About PHP Sessions
- SID
- the "SID" constant is defined by PHP when a session is started. If a cookie has NOT been received from the browser, SID contains "session_name=session_id." If a session cookie was received it is an empty string. Current SID is "phpsessid=re33r0pv16cqjh6b1cp8godjab"
- session_id()
- session_id() always returns a string: non-empty if a session is started, or empty if a session is NOT started. This is true whether or not a cookie was received. Current session id is "re33r0pv16cqjh6b1cp8godjab"
- Cookies
- When a page is first loaded by a browser, or the cookie has expired, PHP will not have recieved a cookie for that page.
- Meaning: Cookie based logic has no meaning until subsequent visits.
- use_trans_sid (transparent sid)
- Might change output html, but NOT how the session module processes GET/POST vars.
- Rewrites html: URLs including the '?' and/or adds hidden form elements within html tags listed in the url_rewriter.tags directive, IF a session cookie not sent from browser
- Does NOT rewrite URLs in custom headers as in header("Location: http://somewhere.com/somepage.php"). Manually add SID in your markup, ie. header("Location: http://somewhere.com/somepage.php?".SID)
- Enable this, to support browsers that refuse cookies. As always with session security, assume the session id is in malicious hands.
- use_only_cookies
- session.use_only_cookies, overrides use_trans_sid. If NOT disabled, the session module will not look for the session in the $_POST/GET variables.
- Forms
- Maintain php session with hidden inputs written either by use_trans_sid & url_rewriter.tags, or manually added in html markup
- Manual example: <type="hidden" name="<?php echo session_name() ?>" value="<?php echo session_id() ?>" />
- Or use_trans_sid enabled & one of two strings in the url_rewriter.tags directive. Use "fieldset=" for xhtml compliance, OR "form=" for other html
- If the action page of the form has use_only_cookies disabled, the session module will find the session with or without cookies.
How to Determine if the Browser is Accepting Session Cookies or Not
- Enable use_trans_sid
- Reload the page
- Is the php session_id in the $_COOKIE[] or the $_GET[] array?
- when the browser reloads the above page, check for the existence of $_COOKIE['PHPSESSID']
- if (! isset($_COOKIE['PHPSESSID'])) session cookies are disabled and you can: 1) require the user to enable cookies (how rude!), or 2) have session.use_trans_sid or manually add the session_id to URLs (some risk!), or place the session_name and session_id in a hidden form input (if xhtml strict, also within fieldset tages).
Regenerating SID on the Fly (disabled)
Old Session: re33r0pv16cqjh6b1cp8godjab
To revisit, click here.