PHP Session Management Digest


- get this page with a new session
- display it's source code at the bottom of this page
- or visit our home page.

Break reliance on cookies and trans_sid whereever possible. Bottom line, use a form if you can, and change the session_name to conform to xhtml strict standards. If you can not use a form, just enable session.use_trans_sid to satisfy browsers refusing cookies, and markup any headers() you use with the php constant SID. Read on for details. - As of early 2009, using PHP 5 and xhtml 1.0

Session Cookie NOT Received From Your Browser!, yet you have seen this page 2 times.

Current PHP Session name and id

phpsessid = re33r0pv16cqjh6b1cp8godjab

Make a Valid xhtml 1.0 strict Form to Pass the PHP Session ID

Post PHP Session ID from an xhtml 1.0 strict form   xhtml strict requires - session_name(strtolower(session_name())) (ie. PHPSESSID to phpsessid)

Some PHP Runtime Configurations this Page is Currently Using

- display all current session configs

4 Methods to Pass, Propagate, or Maintain PHP Session IDs

Session Information
Cookie Have the server remove this cookie
PHP default - No session id above? The server did not receive a cookie from your browser, or the server has been instructed to not use cookies by session.use_cookies disabled. Refresh the page, or look for the $_COOKIE variable at the bottom of the page to see if your browser has disabled session (till browser closes) cookies.
URL with trans_sid - a link rewritten by use_trans_sid, including the "?"
URL rewritten if there is a session and session.use_trans_sid is enabled, but the server will not use it if session.use_only_cookies is also enabled
URL with SID in markup - a link with SID added in markup
This link is appended twice if both, no cookie from the browser and session.use_trans_sid is enabled
Form Inputs -
Preferred over trans_sid for security reasons. If a session is started, session_id() is always available to place in hidden inputs
ASP.NET uses this method by default

Simple Truths About PHP Sessions

SID
the "SID" constant is defined by PHP when a session is started. If a cookie has NOT been received from the browser, SID contains "session_name=session_id." If a session cookie was received it is an empty string. Current SID is "phpsessid=re33r0pv16cqjh6b1cp8godjab"
session_id()
session_id() always returns a string: non-empty if a session is started, or empty if a session is NOT started. This is true whether or not a cookie was received. Current session id is "re33r0pv16cqjh6b1cp8godjab"
Cookies
When a page is first loaded by a browser, or the cookie has expired, PHP will not have recieved a cookie for that page.
Meaning: Cookie based logic has no meaning until subsequent visits.
use_trans_sid (transparent sid)
Might change output html, but NOT how the session module processes GET/POST vars.
Rewrites html: URLs including the '?' and/or adds hidden form elements within html tags listed in the url_rewriter.tags directive, IF a session cookie not sent from browser
Does NOT rewrite URLs in custom headers as in header("Location: http://somewhere.com/somepage.php"). Manually add SID in your markup, ie. header("Location: http://somewhere.com/somepage.php?".SID)
Enable this, to support browsers that refuse cookies. As always with session security, assume the session id is in malicious hands.
use_only_cookies
session.use_only_cookies, overrides use_trans_sid. If NOT disabled, the session module will not look for the session in the $_POST/GET variables.
Forms
Maintain php session with hidden inputs written either by use_trans_sid & url_rewriter.tags, or manually added in html markup
Manual example: <type="hidden" name="<?php echo session_name() ?>" value="<?php echo session_id() ?>" />
Or use_trans_sid enabled & one of two strings in the url_rewriter.tags directive. Use "fieldset=" for xhtml compliance, OR "form=" for other html
If the action page of the form has use_only_cookies disabled, the session module will find the session with or without cookies.

How to Determine if the Browser is Accepting Session Cookies or Not

Regenerating SID on the Fly (disabled)

Old Session: re33r0pv16cqjh6b1cp8godjab

To revisit, click here.