PHP Session Management Digest

- get this page with a new session, read the php manual, or visit our home page.


Some important PHP v8.0.30 directives already config'd in .ini or runtime

- show the source code at the bottom of this page

Session name would be: phpsessid
session_name strtolower'd: phpsessid, is good for strict xhtml 1
ini_get('session.use_cookies') = 1, default 1 (enabled) PHP >= 5
ini_get('session.use_only_cookies') = 1, default enabled PHP >= 6.0
ini_get('session.use_trans_sid') = 0, default 0 (disabled) PHP >= 5

session.use_trans_sid now = 1

Notice You are reading this because NO inbound $_REQUEST["phpsessid"] variable was found before starting session. Therefore, if session_start() is called, PHP will create a new session with a "random" id, and the constant "SID" will be expanded from the empty string to "session_name=session_id."

Re SID: After a session is started, SID is always defined. SID is either the empty string or is seesion_name=session_id. SID is empty if the follwing 2 conditions are satisfied. 1) your php is processing cookies, and 2) the browser sent your php a cookie and with your session name, ie. $_Cookie[session_name()].

How your php deals with cookies is controlled by data handling core directives "variables_order" like "EGPCS" and "request_order," and session directives "session.use_cookies" and "session.use_only_cookies."

Calling session_id() without an arg, before session_start() always returns the empty string

Starting the Session with session_start()

- Session started id: e2r0in5pb6gr2mlc7ge0ekitkc

If your browser SENT a cookie with the session_name() your app uses, SID will be an empty string
On line 55 SID is empty

Maintaining PHP Sessions

There are 3 ways to maintain session state from one request to the next, if you include forms($_POST). All session state is vulnerable, so the best communication protection is SSL. Cookies are a little more secure than URLs ($_GET), but only because they are more difficult for a user to share with friends. Session variables when added to the session are stored server side at session.save_path (use phpinfo), but are also vulnerable and in plain text. If php sessions are enabled, then use either:
- Cookies, php created & stored on user computer, passed back and forth between browser & server, enabled in php.ini or ini_set('session.use_only_cookies', 1);, lifetime medium, without SSL the SID is passed in plain text, session vars stay on the server, default since v5 enabled
- or URL requests, used when either the php server and user computer has disabled cookies,
- Post (form fields), break reliance on cookies and (transparent) trans_sid. Bottom line, use a form if you can, and change the session_name to conform to xhtml strict standards. If you can not use a form, just enable session.use_trans_sid to satisfy browsers refusing cookies, and markup any headers() you use with the php constant SID. Read on for details. - As of early 2009, using PHP 5 and xhml 1.0

Session Cookie NOT Received From Your Browser!, yet you have seen this page 1 times.

Make a Valid xhtml 1.0 strict Form to Pass the PHP Session ID

Note: If you opt to use session_trans_sid, and you want your xhtml form to validate, you also have to adjust the setting of "url_rewrite.tags." By default this is a string of options that might look like "a=href,area=href,frame=src,input=src,form=fakeentry,fieldset=" and is where trans_sid will look to insert code for you. To maintain strict xhtml validity remove "form=fakeentry" and/or "fieldset=" without worring that nothing follows the "=". Now PHP will obligingly insert the hidden input inside the fieldset and your code will validate. Right here and now ini_get('session.use_trans_sid') returns 1. If that says 1, and you have cookies disabled in your browser you can see the trans_sid entry in the source of this form.

Post PHP Session ID from an xhtml 1.0 strict form   xhtml strict requires - session_name(strtolower(session_name())) (ie. PHPSESSID to phpsessid)

Some PHP Runtime Configurations this Page is Currently Using

- show the source code at the bottom of this page.

ini_get('session.use_cookies') = 1 - If 'use_cookies' is disabled, it also disables 'use_only_cookies'
ini_get('session.use_only_cookies') = 1 - if 'use_only_cookies' is enabled and 'use_trans_sid' is enabled, trans_sid continues to rewrite URLs, but $_GET variables arriving in the URL are not processed by session module
ini_get('session.use_trans_sid') = 1

This Fieldset Displays the 4 Methods of Maintaining PHP Session IDs

Session Information
Cookie Have the server remove this cookie
PHP default - No session id above? The server did not receive a cookie from your browser, or the server has been instructed to not use cookies by session.use_cookies disabled. Refresh the page, or look for the $_COOKIE variable at the bottom of the page to see if your browser has disabled session (till browser closes) cookies.
URL with trans_sid - a link rewritten by use_trans_sid, including the "?"
URL rewritten if there is a session and session.use_trans_sid is enabled, but the server will not use it if session.use_only_cookies is also enabled
URL with SID manually added in markup - with SID. eg. of the markup <a href="link.php<?php if(SID!='')echo '?'.SID; ?>">link.php</a>, NOTE; We bury the "?" so it only gets echoed for the folks without cookies
NOTE: SID is appended twice if both, no cookie from the browser and session.use_trans_sid is enabled, so why not just let use_trans_sid take care of it? I can think of one case and that is when you need to carry a session thru a php header() redirect. php's url rewriter (trans_sid) won't do it. So we have to markup the redirect manually using the eg. markup above.
Form Inputs -
Preferred over trans_sid for security reasons. If a session is started, session_id() is always available to place in hidden inputs
ASP.NET uses this method by default

Simple Truths About PHP Sessions

SID
the disappearing 'SID' constant "" is defined if a session has started. BUT, if a session cookie was received it is an empty string. If a cookie has NOT been received from the browser, SID contains "session_name=session_id."
session_id()
If a session is started, session_id() returns whatever the client requested (try adding ?phpsessid=1234 to our URL in your address bar), or if the useragent did not request an id, a random 128 bit (32 byte hexdecimal) id is generated. The current session id can be seen in the form above, whether or not a cookie was received.
Cookies
Cookie results will not appear, until the next time the same or another page is loaded.
use_trans_sid
Does NOT rewrite URLs in header("Location: http://somewhere.com/somepage.php")
instead use SID in the markup, ie. header("Location: http://somewhere.com/somepage.php?".SID)
Enable this, to support cookies refused or not. Be aware of the risks with this method.
Forms
If you can submit a form, forget about use_trans_sid and cookies.
Maintain php session with input type="hidden" name="session_name()" value="session_id()" />
Warning!, especially if using PHP v6, session.use_only_cookies must be disabled or the session module will not look for the session in the $_POST variables.

How to Determine if the Browser is Sending Session Cookies or Not

Regenerating SID on the Fly (disabled)

Old Session: e2r0in5pb6gr2mlc7ge0ekitkc

To revisit, click here.