Sessions

programming
1

Hello,

I am getting really confused with sessions, where to put them in a certain place, what to name something… can anyone break it down or suggest a tutorial? It is for a member registration login. Also, could anyone suggest a tutorial for learning how to have a comment on a news post?

Thanks,

Peter

2

Sessions are used to carry data from one page to another. Its like a cookie just temporary, and end when the user closes the page. Use cookies to store user log-in data not sessions.

[p.s.]
i think it can carry POST and GET data across different pages too, but not sure.

3

GET is data in the URL and POST is data in the header. (and I mean http header, not html header) It has nothing to do with sessions. :slight_smile: You can add veriables to sessions (SESSION[‘var’] = “value”), however.

4

[QUOTE=iloveitaly]Sessions are used to carry data from one page to another. Its like a cookie just temporary, and end when the user closes the page. Use cookies to store user log-in data not sessions.
QUOTE]

What happens when the user’s browser has cookies disabled? Sessions are essentially “server-side cookies”, why not use them to store login data?

5

Ok, well how would I integrate sessions into a login check page? I would like to show the user information. Each user has a unique id, I am not sure if that should be included in the session. What should I use?

6

Sessions are essentially global variables handled on the server end. So anything you store in a session variable will be available to any page as long as the session has not timed out and/or the browser has not been closed.

If you are setting up a very basic login script you would probably do something like make a key out of the session id - session_id(); and the users IP address - $_SERVER[‘REMOTE_ADDR’]; Then once the user logs out you “unset” this session key. You would create this key after the user has passed the password and login check via a database, for example. Set the key, then on each page needed, check to see if the current session id and IP address, matches the stored key. Now this is a very basic login idea, and there are better ways to do this.

7

The key to sessions are stored in the users browser. They can dissable sessions. The best way I have found to maintain state is to pass (either get or post) a key you can use from page to page to recognize the user. The look up that key in a data base to get your information. I usually have the key expire in an hour or so

8

I didn’t think sessions could be disabled via the browser… I thought they were a server setting?

9

yes they are - close the browser and the session ends. maybe he was talking about cookies

10

NEVER EVER store complete login data in a session and/or send a session id with an URL. This is a big security risk… you should read this: http://www.acros.si/papers/session_fixation.pdf

The session id in the URL is being sent with the referrer header, so another website could read it. The browser should also accept cookies to make full/safe use of sessions. The following text is from php.net:

The session module cannot guarantee that the information you store in a session is only viewed by the user who created the session. You need to take additional measures to actively protect the integrity of the session, depending on the value associated with it.

Assess the importance of the data carried by your sessions and deploy additional protections – this usually comes at a price, reduced convenience for the user. For example, if you want to protect users from simple social engineering tactics, you need to enable session.use_only_cookies. In that case, cookies must be enabled unconditionally on the user side, or sessions will not work.

There are several ways to leak an existing session id to third parties. A leaked session id enables the third party to access all resources which are associated with a specific id. First, URLs carrying session ids. If you link to an external site, the URL including the session id might be stored in the external site’s referrer logs. Second, a more active attacker might listen to your network traffic. If it is not encrypted, session ids will flow in plain text over the network. The solution here is to implement SSL on your server and make it mandatory for users.

11

No, the key to a session is stored in the browser. You can block session cookies

12

Those are cookies, not sessions. Sessions are stored on the server. Default is /tmp on Linux/Unix type servers.

$_SESSION != $_COOKIE

13

That picture is settings for both. The radio buttons turn off regular cookies and the checkbox turns off session cookies. The information in a session is stored on the server, but the key that tells the server which browser instance is which is stored in the browser. You can from the browser turn off the ability to do sessions.