Results 1 to 7 of 7
  1. #1

    PHP session_start()

    Hi,

    I have a page that is just:

    <?php

    session_start();

    ?>

    The server response headers are showing:

    HTTP/1.1 200 OK Date: Fri, 01 Jul 2011 03:30:07 GMT Server: Apache X-Powered-By: PHP/5.2.11 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PHPSESSID=zOkJeTZL9T6oB4yDgbaUYljqCwdWZ_wvea2tiWBmhYDJNfkEVkVrEY4ZzIyGihCl; path=/ Content-Type: text/html

    I was expecting a file in start/run/cookies something like:

    user@mysite[1]

    but there is none.

    Why not?

    My end point is to have the usual logged in / not logged in test for each page including the splash page ...

  2. #2
    Join Date
    Sep 2010
    Location
    Behind you...
    Posts
    356
    Check your php config file. Where are cookies stored? This is a directive in the config file. Check that directory for files.
    file1.info :: 50GB secure cloudstorage with filemanager

  3. #3
    Join Date
    Apr 2011
    Location
    Charlotte, NC
    Posts
    104
    PHP doesnt initialize the local session until you actually write data to it.

    You can call session_start() all you want, but PHP wont actually create the local session file until you write data to the session.

    PHP Code:
    <?php
    session_start
    (); // Nothing written to the local session file
    ?>

    PHP Code:
    <?php
    session_start
    ();

    $_SESSION['key'] = 'value'// Local Session file initialized, and value written to it.

    ?>
    This is a performance feature. Creating session files for sessions that are not used is pointless and a waste of resources. This way, the only session files that will ever be created, are the ones that are going to be used.

    This code here I use frequently when working with sessions;
    PHP Code:
    <?php
    session_start
    ();

    if ( isset(
    $_SESSION['user_agent']) ) {
        
    $_SESSION['user_agent'] = $_SERVER['HTTP_USER_AGENT'];
        
    $_SESSION['remote_addr'] = $SERVER['REMOTE_ADDR'];
    }
    else {
        
    // Verify Same User Agent
        
    if ( $_SESSION['user_agent'] != $_SERVER['HTTP_USER_AGENT'] ) {
            
    // The Browser User Agent has changed since the start of the session
            // Possible Hijack Attempt? Force the user to re-login
            
    header('Location: /login.php');
            die();
        }
        
    // Verify Same IP Address(NOTE: Mobile Devices have problems with this because their IP's change frequently)
        
    if ( $_SESSION['remote_addr'] != $_SERVER['REMOTE_ADDR'] ) {
            
    // The User IP Address has changed since the start of the session
            // Possible Hijack Attempt? Force the user to re-login
            
    header('Location: /login.php');
            die();
        }
    }

    ?>
    The code above always results in a session file being created in the background because I am storing the User Agent String and the IP Address of the user in the session right away.


    PHP creates the session file at the location described in your php.ini file. The directive is 'session.save_path'. The session file itself is usually named after the PHP session ID, "zOkJeTZL9T6oB4yDgbaUYljqCwdWZ_wvea2tiWBmhYDJNfkEVkVrEY4ZzIyGihCl" according to your headers included in the post.

    If you want to name the file something specific like 'user@mysite[1]', you will need to write a custom session file handler in order to do that.
    Last edited by adamhahnderson; 07-01-2011 at 05:25 AM.
    Adam Hahn
    Software Engineer / System Administrator / Database Engineer

  4. #4
    Quote Originally Posted by jacksonaskin27 View Post
    I was expecting a file in start/run/cookies something like:

    user@mysite[1]

    but there is none.

    Why not?
    Sessions are stored server side. Cookies are stored client side.

  5. #5
    Thanks all

  6. #6
    What I found I think, Adam, also, was that the first server response header when the simple session_start() function was called did contain a PHPSESSID, but only in memory for that browser instance.

    When I called my server again from that browser the client request header had the PHPSESSID, adn so did all subsequent requests from the client to my server.

    But the only time the PHPSESSID was in the Server Response Header was it's first response when no PHPSESSID was present in the Clien Request Header.

  7. #7
    Join Date
    Apr 2011
    Location
    Charlotte, NC
    Posts
    104
    Quote Originally Posted by jacksonaskin27 View Post
    What I found I think, Adam, also, was that the first server response header when the simple session_start() function was called did contain a PHPSESSID, but only in memory for that browser instance.

    When I called my server again from that browser the client request header had the PHPSESSID, adn so did all subsequent requests from the client to my server.

    But the only time the PHPSESSID was in the Server Response Header was it's first response when no PHPSESSID was present in the Clien Request Header.
    Yes, that is because the PHP session ID is sent to the browser so that it can be stored in a cookie. Even though the session file itself doesnt exist on the server, the ID itself is created and passed back.

    In subsequent requests, the PHP built in session handler will rely on the session ID in the cookie instead of generating a new session id, even if the server side session file does not yet exist.

    You can exploit this to try and hijack other server sessions. You would only need to change the session ID of your cookie and you could possibly steal a different session. That is why you need some sort of check built in to make sure that the session is only accessible by the right person. Simply relying on the cookie value is not sufficient.
    Adam Hahn
    Software Engineer / System Administrator / Database Engineer

Similar Threads

  1. session_start help
    By Danny159 in forum Programming Discussion
    Replies: 2
    Last Post: 09-16-2007, 11:24 AM
  2. php session_start problem
    By krokamil in forum Programming Discussion
    Replies: 11
    Last Post: 08-25-2005, 03:36 AM
  3. session_start()
    By Dacsoft in forum Hosting Security and Technology
    Replies: 1
    Last Post: 09-26-2003, 07:03 PM
  4. Session_Start error
    By Kingdom in forum Programming Discussion
    Replies: 2
    Last Post: 01-05-2003, 08:08 PM
  5. PHP session_start() warning
    By rrsnider in forum Hosting Security and Technology
    Replies: 2
    Last Post: 02-26-2002, 06:37 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •