Page 1 of 1

Session Handling in PHP How to use sessions Rate Topic: ***** 1 Votes

#1 joeyadms   User is offline

  • D.I.C Head
  • member icon

Reputation: 41
  • View blog
  • Posts: 178
  • Joined: 04-May 08

Post icon  Posted 09 May 2008 - 10:57 AM

As we know, HTTP is a stateless protocol. It is made up of requests and responses, and there are no persistent connections. The problem with this, is there is no way to have consistency or personalization on the web, because there is no way to know who is sending the requests.

One solution is cookies. Cookies are files residing on the CLIENT'S computer that store variables set by a particular website. This file can only be accessed by the website, or domain, that issued the cookie. The problem with cookies is that they are an untrusted medium. Users can modify cookie data, and cause unwanted problems with your app.

A better solution is sessions. Sessions are a lot like cookies, however they reside on the SERVER machine, and cannot be edited directly by the client. When you use sessions, a session ID is stored either in a cookie on the client side, or in form data that is sent with each request. This ID links the client to a particular file or record, depending how the session is stored.

Here is a quick primer to get you using sessions!

First! You must initialize the session at the start of your application. This makes sure that the session is started before any output is made. You must start the session before headers are sent to the client, so the best approach is on your main page at the very top, start the session this way;

Once you start the session, you can now start using session variables. To set a session variable, is much like an associative array. You can access the variable the same way.For example, say we want to store a variable of 'username' and give it the value of 'joeyadms', we would do the following;
// Always Start our session

$_SESSION['username'] = 'joeyadms'; 

$username =  $_SESSION['username'];

echo $username;

This would output joeyadms.

Remember, when you set a session variable. It is persistent as long as the session is maintained (determined by logout,exit browser, and php.ini options). So you can set a session variable on one page, and call it the same way on an entirely different page!

By default, PHP stores the session ID in the client's cookie. In my opinion, the cookie is the best place, storing it in form values can be unreliable, and has more potential to be unsafe. You can change your 'php.ini' settings to change the cookie variable name used if you like;
; Name of the session (used as cookie name). = PHPSESSID

There is a big problem with sessions, the same as with cookies. Session Hijacking, and Session Fixation are attacks directed straight at them.

Session Hijacking happens when an attacker gets the session id of an user who has logged in, he then spoofs his ID to be that of the victim. The attacker has now successfully assumed the identity of the victim.

Session fixation works almost the same way. However, this time, the attacker sends an specially crafted url, or uses a forwarder to set the session ID of a victim, the victim then logs in, and the attacker uses the ID he already has to Hijack the session.

To protect against these attacks, make sure you session_regenerate_id() whenever a user logs in. Also adding some fingerprint check protection is best.

For a great Session Security Class , check the snippets here for my SessionSecurity addition.

Is This A Good Question/Topic? 1
  • +

Replies To: Session Handling in PHP

#2 Spatlabor   User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 2
  • Joined: 07-November 08

Posted 07 November 2008 - 08:37 PM


For a great Session Security Class , check the snippets here for my SessionSecurity addition.

Isn't a link missing?

[edit]Found it: http://www.dreaminco...snippet1947.htm[/edit]

Good article btw.

This post has been edited by Spatlabor: 07 November 2008 - 08:50 PM

Was This Post Helpful? 0
  • +
  • -

#3 sl4ck3r   User is offline

  • D.I.C Regular
  • member icon

Reputation: 11
  • View blog
  • Posts: 285
  • Joined: 22-September 07

Posted 24 February 2009 - 01:08 PM

you can also store the ip address of the user to help prevent session hijacking

(as seen in the snippet)

This post has been edited by sl4ck3r: 24 February 2009 - 01:10 PM

Was This Post Helpful? 0
  • +
  • -

Page 1 of 1