[thelist] any PHP session experts out there?

Carl J Meyer cjmeyer at npcc.net
Wed Dec 11 16:51:01 CST 2002 

Don't use anything written about PHP3 and sessions if you're using PHP4
- native PHP sessions were only introduced in PHP4, so anything written
for PHP3 is a 3rd-party addon which you don't need.

Your code looks fine, with the exception of using the "register globals"
feature.  The advice you read not to use it is very sound, and you
really should follow it.  Not only are there serious security issues,
but using 'register globals' also inevitably creates less readable,
harder to maintain code.  "Now where did that variable come from??".

The top two things that cause problems with PHP sessions are:

1) the session id is not getting passed.
2) your session save handler isn't working.

What are the values in the [Session] section of your php.ini file?  Are
you using cookies to pass the session id (session.use_cookies = 1)?  If
so, are cookies turned on in your test browser?  Can you check your
browser and see if the session cookie is being set (should have a name
like PHPSESSID, or the value of session.name in php.ini)?

If not using cookies to pass the session id, then did you compile PHP
with the enable-trans-sid feature and is session.use_trans_sid = 1?
(trans_sid enables PHP to automatically rewrite all local links in your
pages to include the session id.  Note that passing the session id via
the URL is a potential security risk, cookies are preferable).

If neither use_cookies nor use_trans_sid are on, then you need to pass
the session id manually from page to page in the GET string of every
link (including the header redirect).  In fact, even if you are using
the trans_sid feature PHP probably won't catch that header redirect,
which might be your problem - try adding the session id to the link
manually (ie header("Location: products.php?" . SID);).

(the SID constant is always set to the value "name=id" where name is
your PHP session name (session.name, PHPSESSID by default) and id is the
session id (a random 32-character string).

Also, your call to session_register is unnecessary - adding an entry to
the $_SESSION array is all you need to do to register the session
value.  In fact, the PHP manual specifically warns against trying to use
both session_register() and the $_SESSION array, so conceivably taking
out the call to session_register() could fix your problem.

HTH

Carl

On Wed, 2002-12-11 at 14:18, Tom Dell'Aringa wrote:
> I've been struggling with some PHP session tutorials, and I wondered
> if I could get some tips. Most of the tutorials I find seem to be for
> PHP3 not 4. The one I am using the guy says not to use superglobals
> due to security. Anyway, I am doing this very simple code:
>
> >From a simple form that has only a 'name' text field, I send it to a
> process page that does this:
>
> <?
> // start the session
> session_start();
> header("Cache-control: private"); //IE 6 Fix
>
> // Create a new Session Value
>    session_register('name');
>
> // Register the input with the value
>    $_SESSION['name'] = $name;
>
>    header("Location: products.php");
> ?>
>
> I suppose $_SESSION['name'] = $name; could be $_SESSION['name'] =
> $_POST['name']; as well, but I like using the globals myself.
>
> Then I send them to a products page, where I want to display the name
> from the session to see if it is working. I do:
>
> // start the session
> session_start();
> header("Cache-control: private"); //IE 6 Fix
>
> at the top of the page, then
>
> Hey <? echo $_SESSION['name'];?>
>
> in the page, and I get nothing but blanks.
>
> I've perused the php.net docs and they are a bit scattered without
> much practical stuff..any help is appreciated.
>
> Tom
>
>
> =====
> var me = tom.pixelmech.webDeveloper();
>
> http://www.pixelmech.com/
> http://www.maccaws.com/
> [Making A Commercial Case for Adopting Web Standards]
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
> http://mailplus.yahoo.com
> --
> * * Please support the community that supports you.  * *
> http://evolt.org/help_support_evolt/
>
> For unsubscribe and other options, including the Tip Harvester
> and archives of thelist go to: http://lists.evolt.org
> Workers of the Web, evolt !

More information about the thelist mailing list