- get this page with a new session, read the php manual, or visit our home page.
- show the source code at the bottom of this page
Session name would be: phpsessid
session_name strtolower'd: phpsessid, is good for strict xhtml 1
ini_get('session.use_cookies') = 1, default 1 (enabled) PHP >= 5
ini_get('session.use_only_cookies') = 1, default enabled PHP >= 6.0
ini_get('session.use_trans_sid') = 0, default 0 (disabled) PHP >= 5
Notice You are reading this because NO inbound $_REQUEST["phpsessid"] variable was found before starting session. Therefore, if session_start()
is called, PHP will create a new session with a "random" id, and the constant "SID" will be expanded from the empty string to "session_name=session_id."
Re SID: After a session is started, SID is always defined. SID is either the empty string or is seesion_name=session_id. SID is empty if the follwing 2 conditions are satisfied. 1) your php is processing cookies, and 2) the browser sent your php a cookie and with your session name, ie. $_Cookie[session_name()].
How your php deals with cookies is controlled by data handling core directives "variables_order" like "EGPCS" and "request_order," and session directives "session.use_cookies" and "session.use_only_cookies."
Calling session_id()
without an arg, before session_start()
always returns the empty string
session_start()
There are 3 ways to maintain session state from one request to the next, if you include forms($_POST). All session state is vulnerable, so the best communication protection is SSL. Cookies are a little more secure than URLs ($_GET), but only because they are more difficult for a user to share with friends. Session variables when added to the session are stored server side at session.save_path (use phpinfo), but are also vulnerable and in plain text. If php sessions are enabled, then use either:
- Cookies, php created & stored on user computer, passed back and forth between browser & server, enabled in php.ini or ini_set('session.use_only_cookies', 1);, lifetime medium, without SSL the SID is passed in plain text, session vars stay on the server, default since v5 enabled
- or URL requests, used when either the php server and user computer has disabled cookies,
- Post (form fields), break reliance on cookies and (transparent) trans_sid. Bottom line, use a form if you can, and change the session_name to conform to xhtml strict standards. If you can not use a form, just enable session.use_trans_sid to satisfy browsers refusing cookies, and markup any headers() you use with the php constant SID. Read on for details. -
As of early 2009, using PHP 5 and xhml 1.0
Session Cookie NOT Received From Your Browser!, yet you have seen this page 1 times.
Note: If you opt to use session_trans_sid, and you want your xhtml form to validate, you also have to adjust the setting of "url_rewrite.tags." By default this is a string of options that might look like "a=href,area=href,frame=src,input=src,form=fakeentry,fieldset=" and is where trans_sid will look to insert code for you. To maintain strict xhtml validity remove "form=fakeentry" and/or "fieldset=" without worring that nothing follows the "=". Now PHP will obligingly insert the hidden input inside the fieldset and your code will validate. Right here and now ini_get('session.use_trans_sid')
returns 1. If that says 1, and you have cookies disabled in your browser you can see the trans_sid entry in the source of this form.
- show the source code at the bottom of this page.
ini_get('session.use_cookies') = 1 - If 'use_cookies' is disabled, it also disables 'use_only_cookies'
ini_get('session.use_only_cookies') = 1 - if 'use_only_cookies' is enabled and 'use_trans_sid' is enabled, trans_sid continues to rewrite URLs, but $_GET variables arriving in the URL are not processed by session module
ini_get('session.use_trans_sid') = 1
Old Session: e2r0in5pb6gr2mlc7ge0ekitkc
To revisit, click here.