Showing posts with label Session. Show all posts
Showing posts with label Session. Show all posts

Friday, February 27

Check if PHP Session has already started

Recommended way for versions of PHP >= 5.4.0

<?PHP
    if (session_status() == PHP_SESSION_NONE) {
        session_start();
    }
?>

Source: http://www.php.net/manual/en/function.session-status.php

For versions of PHP < 5.4.0

<?PHP
    if(session_id() == '') {
        session_start();
    }
?>
Posted by at No comments:
Labels: ,

Tips on Web Application Session practices

    1. Use a database for sessions.
 
    2. Regenerate the session on when the permissions change (e.g., when a user logs in).
 
    3. Regenerate the session on every page load (optional).
 
    4. Don't expose the session ID in the URL.
 
    5. Don't expose any sensitive data to the session.
 
    6. Only use the session through secure transport, otherwise someone could sniff the cookie and hijack the session.
 
    7. Expire your session after a reasonable amount of time.

In addition to VirtuosiMedia's list:

    1. Use TLS (SSL) across the entire site. Use the HSTS header.
 
    2. Use a session cookie, rather than adding a session token to every link-href and form-action.
 
    3. Use the secure and httpOnly flags on the cookie.
 
    4. Use the X-Frame-Options header.
 
    5. Keep the content of the session minimal. E.g., store only the user-id. If caching is needed, cache in a general caching layer, not the session.
 
    6 Cryptographically sign the session cookie with a secret key known only to the server. Include an expiration datetime in the signed data. Check the signature and the expiration at the server on every request.
Posted by at No comments:
Labels:

Tuesday, February 24

How do PHP sessions work in PHP, and how are they used?

In the general situation :

    1. the session id is sent to the user when his session is created.
    2. it is stored in a cookie (called, by default, PHPSESSID)
    3. that cookie is sent by the browser to the server with each request
    4. the server (PHP) uses that cookie, containing the session_id, to know which file corresponds to that user.
    5. The data in the sessions files is the content of $_SESSION, serialized (ie, represented as a string -- with a function such as serialize) ; and is un-serialized when the file is loaded by PHP, to populate the $_SESSION array.


Sometimes, the session id is not stored in a cookie, but sent in URLs, too -- but that's quite rare, nowadays.


For more informations, you can take a look at the Session Handling section of the manual, that gives some useful informations.

For instance, there is a page about Passing the Session ID, which explains how the session id is passed from page to page, using a cookie, or in URLs -- and which configuration options affect this.


Start a PHP Session:

A session is started with the session_start() function.

Session variables are set with the PHP global variable: $_SESSION.


<?php

     // Start the session
    session_start();
    
    // Set session variables
    $_SESSION["favcolor"] = "green";

 ?>

Get PHP Session Variable Values:

<?php
    // Echo session variables that were set on previous page
    echo "Favorite color is " . $_SESSION["favcolor"] . ".<br>";
    
    //Another way to show all the session variable values for a user session is to run the following code:
    print_r($_SESSION);
?>

Modify a PHP Session Variable:

To change a session variable, just overwrite it:

<?php
    // to change a session variable, just overwrite it 
    $_SESSION["favcolor"] = "yellow";
    print_r($_SESSION);
?>

Destroy a PHP Session:

To remove all global session variables and destroy the session, use session_unset() and session_destroy():

<?php
    // remove all session variables
    session_unset(); 
    
    // destroy the session 
    session_destroy(); 
?>
Posted by at No comments:
Labels: ,
Subscribe to: Comments (Atom)