Author Topic: PHP Sessions  (Read 2254 times)

jitspoe

  • Administrator
  • Autococker
  • Posts: 18802
PHP Sessions
« on: May 16, 2007, 12:36:01 PM »
I'm trying to figure out how to make sessions carry over from one php file to the next.  For example if you login with login.php then go to someotherpage.php, a new session is generated, unless someotherpage.php is linked from login.php.

I want to be able to visit pages directly without having to first go through another php file.  I tried session_name(), but that didn't seem to work.  It still creates a unique session.

Smokey

  • Autococker
  • Posts: 1172
Re: PHP Sessions
« Reply #1 on: May 16, 2007, 06:29:10 PM »
Create a cookie with the session id in it, then with every page, check for that cookie, and if it exists, set the session_id to that id.

Get it? :)

y00tz

  • Autococker
  • Posts: 2742
Re: PHP Sessions
« Reply #2 on: May 16, 2007, 06:33:07 PM »
I was going to suggest a cookie, but surely Jits thought of that?

jitspoe

  • Administrator
  • Autococker
  • Posts: 18802
Re: PHP Sessions
« Reply #3 on: May 16, 2007, 07:43:31 PM »
Will that carry over all the other information from the session, or do I need to store everything in the cookie?

Smokey

  • Autococker
  • Posts: 1172
Re: PHP Sessions
« Reply #4 on: May 17, 2007, 06:48:58 PM »
Will that carry over all the other information from the session, or do I need to store everything in the cookie?
PHP Saves sessions to a folder, called tmp. So by loading a session, you load the data from it.
Its in the same directory that your www folder is in.

Bah. http://www.php.net/session
Quote
session.save_path string

    session.save_path defines the argument which is passed to the save handler. If you choose the default files handler, this is the path where the files are created. Defaults to /tmp. See also session_save_path().

    There is an optional N argument to this directive that determines the number of directory levels your session files will be spread around in. For example, setting to '5;/tmp' may end up creating a session file and location like /tmp/4/b/1/e/3/sess_4b1e384ad74619bd212e236e52a5a174If . In order to use N you must create all of these directories before use. A small shell script exists in ext/session to do this, it's called mod_files.sh. Also note that if N is used and greater than 0 then automatic garbage collection will not be performed, see a copy of php.ini for further information. Also, if you use N, be sure to surround session.save_path in "quotes" because the separator (;) is also used for comments in php.ini.



jitspoe

  • Administrator
  • Autococker
  • Posts: 18802
Re: PHP Sessions
« Reply #5 on: May 17, 2007, 07:49:30 PM »
Ok, so say for simplicity I load the site and have a session id of "123".  I log in -- enter my username and password, and the server stores my userid and password hash in a session file and generates a cookie that saves my session id of "123" to my local browser.

What stops somebody else from making a fake cookie that says "my session id is 123", loading the website, and being logged in as me?

Smokey

  • Autococker
  • Posts: 1172
Re: PHP Sessions
« Reply #6 on: May 17, 2007, 08:19:56 PM »
Ok, so say for simplicity I load the site and have a session id of "123".  I log in -- enter my username and password, and the server stores my userid and password hash in a session file and generates a cookie that saves my session id of "123" to my local browser.

What stops somebody else from making a fake cookie that says "my session id is 123", loading the website, and being logged in as me?
Store some info in the cookie, such as a md5 of the password, For verification.

b00nlander

  • Autococker
  • Posts: 784
Re: PHP Sessions
« Reply #7 on: May 18, 2007, 02:31:13 AM »
usually you'd simply encrypt your session id, that's the easiest way.  it still has some minor security issue, but it's what most sites use

Smokey

  • Autococker
  • Posts: 1172
Re: PHP Sessions
« Reply #8 on: May 18, 2007, 01:15:09 PM »
usually you'd simply encrypt your session id, that's the easiest way.  it still has some minor security issue, but it's what most sites use
Thats what I suggested to him last night, :-D