Results 1 to 7 of 7
Thread: PHP session_start()
-
06-30-2011, 11:43 PM #1New Member
- Join Date
- Jun 2011
- Posts
- 3
PHP session_start()
Hi,
I have a page that is just:
<?php
session_start();
?>
The server response headers are showing:
HTTP/1.1 200 OK Date: Fri, 01 Jul 2011 03:30:07 GMT Server: Apache X-Powered-By: PHP/5.2.11 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PHPSESSID=zOkJeTZL9T6oB4yDgbaUYljqCwdWZ_wvea2tiWBmhYDJNfkEVkVrEY4ZzIyGihCl; path=/ Content-Type: text/html
I was expecting a file in start/run/cookies something like:
user@mysite[1]
but there is none.
Why not?
My end point is to have the usual logged in / not logged in test for each page including the splash page ...
-
07-01-2011, 04:23 AM #2Aspiring Evangelist
- Join Date
- Sep 2010
- Location
- Behind you...
- Posts
- 356
Check your php config file. Where are cookies stored? This is a directive in the config file. Check that directory for files.
file1.info :: 50GB secure cloudstorage with filemanager
-
07-01-2011, 05:13 AM #3WHT Addict
- Join Date
- Apr 2011
- Location
- Charlotte, NC
- Posts
- 104
PHP doesnt initialize the local session until you actually write data to it.
You can call session_start() all you want, but PHP wont actually create the local session file until you write data to the session.
PHP Code:<?php
session_start(); // Nothing written to the local session file
?>
PHP Code:<?php
session_start();
$_SESSION['key'] = 'value'; // Local Session file initialized, and value written to it.
?>
This code here I use frequently when working with sessions;
PHP Code:<?php
session_start();
if ( isset($_SESSION['user_agent']) ) {
$_SESSION['user_agent'] = $_SERVER['HTTP_USER_AGENT'];
$_SESSION['remote_addr'] = $SERVER['REMOTE_ADDR'];
}
else {
// Verify Same User Agent
if ( $_SESSION['user_agent'] != $_SERVER['HTTP_USER_AGENT'] ) {
// The Browser User Agent has changed since the start of the session
// Possible Hijack Attempt? Force the user to re-login
header('Location: /login.php');
die();
}
// Verify Same IP Address(NOTE: Mobile Devices have problems with this because their IP's change frequently)
if ( $_SESSION['remote_addr'] != $_SERVER['REMOTE_ADDR'] ) {
// The User IP Address has changed since the start of the session
// Possible Hijack Attempt? Force the user to re-login
header('Location: /login.php');
die();
}
}
?>
PHP creates the session file at the location described in your php.ini file. The directive is 'session.save_path'. The session file itself is usually named after the PHP session ID, "zOkJeTZL9T6oB4yDgbaUYljqCwdWZ_wvea2tiWBmhYDJNfkEVkVrEY4ZzIyGihCl" according to your headers included in the post.
If you want to name the file something specific like 'user@mysite[1]', you will need to write a custom session file handler in order to do that.Last edited by adamhahnderson; 07-01-2011 at 05:25 AM.
Adam Hahn
Software Engineer / System Administrator / Database Engineer
-
07-01-2011, 03:18 PM #4Disabled
- Join Date
- Mar 2008
- Posts
- 630
-
07-02-2011, 03:05 AM #5New Member
- Join Date
- Jun 2011
- Posts
- 3
Thanks all
-
07-02-2011, 03:11 AM #6New Member
- Join Date
- Jun 2011
- Posts
- 3
What I found I think, Adam, also, was that the first server response header when the simple session_start() function was called did contain a PHPSESSID, but only in memory for that browser instance.
When I called my server again from that browser the client request header had the PHPSESSID, adn so did all subsequent requests from the client to my server.
But the only time the PHPSESSID was in the Server Response Header was it's first response when no PHPSESSID was present in the Clien Request Header.
-
07-05-2011, 02:14 PM #7WHT Addict
- Join Date
- Apr 2011
- Location
- Charlotte, NC
- Posts
- 104
Yes, that is because the PHP session ID is sent to the browser so that it can be stored in a cookie. Even though the session file itself doesnt exist on the server, the ID itself is created and passed back.
In subsequent requests, the PHP built in session handler will rely on the session ID in the cookie instead of generating a new session id, even if the server side session file does not yet exist.
You can exploit this to try and hijack other server sessions. You would only need to change the session ID of your cookie and you could possibly steal a different session. That is why you need some sort of check built in to make sure that the session is only accessible by the right person. Simply relying on the cookie value is not sufficient.Adam Hahn
Software Engineer / System Administrator / Database Engineer
Similar Threads
-
session_start help
By Danny159 in forum Programming DiscussionReplies: 2Last Post: 09-16-2007, 11:24 AM -
php session_start problem
By krokamil in forum Programming DiscussionReplies: 11Last Post: 08-25-2005, 03:36 AM -
session_start()
By Dacsoft in forum Hosting Security and TechnologyReplies: 1Last Post: 09-26-2003, 07:03 PM -
Session_Start error
By Kingdom in forum Programming DiscussionReplies: 2Last Post: 01-05-2003, 08:08 PM -
PHP session_start() warning
By rrsnider in forum Hosting Security and TechnologyReplies: 2Last Post: 02-26-2002, 06:37 AM