PHP Sessions

[jitspoe]

I'm trying to figure out how to make sessions carry over from one php file to the next.  For example if you login with login.php then go to someotherpage.php, a new session is generated, unless someotherpage.php is linked from login.php.

I want to be able to visit pages directly without having to first go through another php file.  I tried session_name(), but that didn't seem to work.  It still creates a unique session.

[Smokey]

Create a cookie with the session id in it, then with every page, check for that cookie, and if it exists, set the session_id to that id.

Get it?

[y00tz]

I was going to suggest a cookie, but surely Jits thought of that?

[jitspoe]

Will that carry over all the other information from the session, or do I need to store everything in the cookie?

[Smokey]

Will that carry over all the other information from the session, or do I need to store everything in the cookie?

PHP Saves sessions to a folder, called tmp. So by loading a session, you load the data from it.
Its in the same directory that your www folder is in.

Bah. http://www.php.net/session

session.save_path string

    session.save_path defines the argument which is passed to the save handler. If you choose the default files handler, this is the path where the files are created. Defaults to /tmp. See also session_save_path().

    There is an optional N argument to this directive that determines the number of directory levels your session files will be spread around in. For example, setting to '5;/tmp' may end up creating a session file and location like /tmp/4/b/1/e/3/sess_4b1e384ad74619bd212e236e52a5a174If . In order to use N you must create all of these directories before use. A small shell script exists in ext/session to do this, it's called mod_files.sh. Also note that if N is used and greater than 0 then automatic garbage collection will not be performed, see a copy of php.ini for further information. Also, if you use N, be sure to surround session.save_path in "quotes" because the separator ( is also used for comments in php.ini.

[jitspoe]

Ok, so say for simplicity I load the site and have a session id of "123".  I log in -- enter my username and password, and the server stores my userid and password hash in a session file and generates a cookie that saves my session id of "123" to my local browser.

What stops somebody else from making a fake cookie that says "my session id is 123", loading the website, and being logged in as me?

[Smokey]

Ok, so say for simplicity I load the site and have a session id of "123".  I log in -- enter my username and password, and the server stores my userid and password hash in a session file and generates a cookie that saves my session id of "123" to my local browser.

What stops somebody else from making a fake cookie that says "my session id is 123", loading the website, and being logged in as me?

Store some info in the cookie, such as a md5 of the password, For verification.

[b00nlander]

usually you'd simply encrypt your session id, that's the easiest way.  it still has some minor security issue, but it's what most sites use

[Smokey]

usually you'd simply encrypt your session id, that's the easiest way.  it still has some minor security issue, but it's what most sites use

Thats what I suggested to him last night, :-D