$_SESSION superglobal...I'm scared

[morpheuz]

Well, I'm getting around to working in membership stuff myself and I'm confused on how $_SESSION works. I've read themanual/explanations on what is done and I still get confused when I look at code that's using it.

Anybody here good at breaking down stuff like this to dummies lol.

How is it being called and how is it maintained through multiple pages?

ex: $_SESSION['string'] <- where is the string being called from?

How do I use it more than once? Can the session global be used with variables?

[nimaj]

Refer to sde's "Login With Sessions" tutorial.

http://php.codenewbie.com/articles/p...ns-Page_1.html

[sde]

have you used cookies before? ( $_COOKIE[] ) .. sessions are basically cookies except they live on the server. session variables are just a lot easier to set than cookies.

a session starts when you visit a domain, and usually will last until you either leave the site, close your browser, or sit on one page longer than the timeout period.

it's pretty easy if you just think of it as an array. the variables you set are unique to the session and the user who is using them.

if i set $_SESSION['username'] = "sde"; on page 1, then $_SESSION['username'] will return that value as long as the session exists no matter what page you are on within the domain.

i think you are making it a little more complicated than it really is. just think of it like a special array that you can put most any type of values in.

if you have any more specific questions, let me know.

[morpheuz]

Is it bad coding practice to attach sessions on to the URL manually instead of using cookies to maintain the session and (if possible) userid throughout all links?

Like say you have Sessions already in use for the logged in member and print links adding in the session with userid.

ex:

<a href="../profiles.php?PHPSESSID=".session_id()."&userID=$fe tch->userid">see this member's profile</a>

[sde]

with the default PHP config, you don't need to pass session ids in the URL. if you had the userid in the session, you wouldn't need to pass that either.

have you tried to work with my tutorial that is linked a few posts above?

[morpheuz]

I'll give your tut a go (the way you have it, compared to how the code I'm using has it is a bit different..it's the only reason I shyed away, but I see learning from another source is to my benefit) the reason I brought sessions up is because I'm learning from a ready made script that seems to have a good session handler in place, but appears rather flimsy when it comes to pagination. The only thing holding member related pages together from searches,etc. are links with "session_id()" included to maintain the session. I'm still a noob and may be hindering my growth in PHP with such holes in my knowledge base tackling making a membership site without primers/or a basic foundation, but for some reason I can only get a working knowledge of PHP when all the features on a site I'd like to run are right in front of my face in code form.

I've learned alot but I see my being unable to grasp the use of globals and several other fundamentals because I'm not learning PHP from A-Z is showing. I could continue on with mimicry and what I've learned in conjunction with it to accomplish my goal, but I'm uncertain that the code I'm learning from is even a secure reference now (based on the bit I read on sessions from the PHP 5 Power Progamming book).

[idx]

Unless you have some code that performs some sanity checks, using the session ID in the url isn't good at all. (even with some paranoia checks, I don't like it) I'd use cookie-based sessions then, as sde mentiond, just use $_SESSION as the "backend cookie" to store various bits about what's going on for that session.

[morpheuz]

Thanks for all the responses.

I have another question. How does a session hijack work?

The membership script I'm running, doesn't show any session anywhere until you're logged in, so I assume a malicious user would have to join before damage could be attempted. I've tried copying the session of a created admin user, logging out, and then pasting the URL (to the admin area) in the address, but it redirects to the login page. If this is tried while logged in as a different user and I paste in the session of the admin user, I'm logged out and sent to the index. It appears that a hijack would only be able to take place with an active session, so deception would have to be implemented by a malicious user onto registered members to try to get a valid id no?

If there are other ways to do this other than the above logic, I'd like to know this as well.

Thanks again all.

[idx]

http://www.sitepoint.com/blog-post-view.php?id=156260

Especially check out the session fixation pdf. Some good stuff in there with scenarios and various measures to take. A few basic ones:

- Change session ID's after the user has successfully logged in.
- Create a md5 hash of _something_ static, store it in the session and compare it on each page request. If it doesn't match then destroy the session. The _something_ could be: "FOO" + $_SERVER['HTTP_USER_AGENT'] + etc... (IP can be used, but AOL proxy users wont be using the same IP)

-r