How to check if a session exists?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Recoil UK
Forum Newbie
Posts: 23
Joined: Sat Jul 12, 2003 5:59 pm

How to check if a session exists?

Post by Recoil UK »

Hi guys

When using sessions, and tou want to check if a session has existed before, how do you do it?

Thx guys
Gen-ik
DevNet Resident
Posts: 1059
Joined: Mon Aug 12, 2002 7:08 pm
Location: London. UK.

Post by Gen-ik »

Check if one of the session variables is still active.. for example..

Code: Select all

<?php
if(session_is_registered("username"))
{
// session is still active
}
else
{
// session has died
}
?>
Recoil UK
Forum Newbie
Posts: 23
Joined: Sat Jul 12, 2003 5:59 pm

Post by Recoil UK »

Hi

Yeah I know that, maybe I should rephrase the question.

Unless you do session_start(); then it doesnt matter if you check for a session variable or not, its not going to exist.

My question is therefore....

How do I check if a session previously existed, without calling session_start();.

Thx
Recoil UK
Forum Newbie
Posts: 23
Joined: Sat Jul 12, 2003 5:59 pm

Post by Recoil UK »

Hi

Quick update on what I,ve found.

I think the following is what I need.

Code: Select all

<?php
if (isset($_COOKIE['PHPSESSID']) {
   session_start();
}
?>
Is this secure?

Thx
Gen-ik
DevNet Resident
Posts: 1059
Joined: Mon Aug 12, 2002 7:08 pm
Location: London. UK.

Post by Gen-ik »

As soon as the browser is closed the session will be erased, so the only way you are going to be able to do this (why do you want to do this anyway?) is to store a cookie on the clients machine with the session details in it. That way you can simply check if the cookie exists.. as long as the client can except cookies, and as long as they don't delete them.

But a session is a exactly what it sounds like, a session, it's only designed to last until the client closes their browser or until it times out.

For perminant stuff either use cookies or store info in a database.
Recoil UK
Forum Newbie
Posts: 23
Joined: Sat Jul 12, 2003 5:59 pm

Post by Recoil UK »

Hi

Yeah I know that as soon as the browser is closed, the session will be erased.

What i,m trying to do, is create as custom session handler that changes the sessionid on each page request.

The user also will not be a getting the real sessionid they will be getting one that is added to a randomly generated number

The purpose of this is protect myself against cookie tampering.

Thx
Recoil UK
Forum Newbie
Posts: 23
Joined: Sat Jul 12, 2003 5:59 pm

Post by Recoil UK »

Hi again
As soon as the browser is closed the session will be erased, so the only way you are going to be able to do this (why do you want to do this anyway?) is to store a cookie on the clients machine with the session details in it.
Well, i,m already checking to see if the cookie exists by using the isset command above.

Thx
Gen-ik
DevNet Resident
Posts: 1059
Joined: Mon Aug 12, 2002 7:08 pm
Location: London. UK.

Post by Gen-ik »

The purpose of this is protect myself against cookie tampering.
How?

If someone wants to edit a cookie they can simply open their cookie folder and change what they like. Changing the session id won't protect cookies because the user can check the date of the last cookie added/updated.

Do you mean you are trying to protect the session(s) to prevent 'session hijacking'?
Recoil UK
Forum Newbie
Posts: 23
Joined: Sat Jul 12, 2003 5:59 pm

Post by Recoil UK »

Hi

Well yeah, it will be to protect session hijacking, but as sessions use a cookie, albeit, a cookie held in memory, my example is correct.

Using this method, I believe it will be impossible for some to alter the cookie, without me knowing, thereby destroying the session.

Ofcourse, I still wont be able to protect against someone, not logging out or not closing there browser on a public PC, but its a start.

L8rs
Recoil UK
Forum Newbie
Posts: 23
Joined: Sat Jul 12, 2003 5:59 pm

Post by Recoil UK »

Hi guys

Ok, i,ve written 2 scripts(well borrowed one and added a second) for my attempt at more secure sessions......

They are both written to be included at the top of the page.

Code: Select all

<?php

$SESS_DBHOST = "******";			/* database server hostname */
$SESS_DBNAME = "******";			/* database name */
$SESS_DBUSER = "******";		/* database user */
$SESS_DBPASS = "******";		/* database password */

$SESS_DBH = "";
$SESS_LIFE = get_cfg_var("session.gc_maxlifetime");

function sess_open($save_path, $session_name) {
	global $SESS_DBHOST, $SESS_DBNAME, $SESS_DBUSER, $SESS_DBPASS, $SESS_DBH;

	if (!$SESS_DBH = mysql_connect($SESS_DBHOST, $SESS_DBUSER, $SESS_DBPASS)) {
		echo "<li>Can't connect to $SESS_DBHOST as $SESS_DBUSER";
		echo "<li>MySQL Error: ", mysql_error();
		die;
	}

	if (! mysql_select_db($SESS_DBNAME, $SESS_DBH)) {
		echo "<li>Unable to select database $SESS_DBNAME";
		die;
	}

	return true;
}

function sess_close() {
	return true;
}

function sess_read($key) {
	global $SESS_DBH, $SESS_LIFE;

	$qry = "SELECT value FROM sessions WHERE sessionid = '$key' AND expirytime > " . time();
	$qid = mysql_query($qry, $SESS_DBH);

	if (list($value) = mysql_fetch_row($qid)) {
		return $value;
	}

	return false;
}

function sess_write($key, $val) {
	global $SESS_DBH, $SESS_LIFE;

	$expirytime = time() + $SESS_LIFE;
	$value = addslashes($val);

	$qry = "INSERT INTO sessions VALUES ('$key', $expirytime, '$value')";
	$qid = mysql_query($qry, $SESS_DBH);

	if (!$qid) {
		$qry = "UPDATE sessions SET expirytime = $expirytime, value = '$value' WHERE sessionid = '$key' AND expirytime > " . time();
		$qid = mysql_query($qry, $SESS_DBH);
	}

	return $qid;
}

function sess_destroy($key) {
	global $SESS_DBH;

	$qry = "DELETE FROM sessions WHERE sessionid = '$key'";
	$qid = mysql_query($qry, $SESS_DBH);

	return $qid;
}

function sess_gc($maxlifetime) {
	global $SESS_DBH;

	$qry = "DELETE FROM sessions WHERE expirytime < " . time();
	$qid = mysql_query($qry, $SESS_DBH);

	return mysql_affected_rows($SESS_DBH);
}

session_set_save_handler(
	"sess_open",
	"sess_close",
	"sess_read",
	"sess_write",
	"sess_destroy",
	"sess_gc");

?>

Code: Select all

<?php

function session_security() {

   $SESS_DBHOST = "******";			/* database server hostname */
   $SESS_DBNAME = "******";			/* database name */
   $SESS_DBUSER = "******";		/* database user */
   $SESS_DBPASS = "******";

   if (!$DBH = mysql_connect($SESS_DBHOST, $SESS_DBUSER, $SESS_DBPASS)) {
      echo "<li>Can't connect to $SESS_DBHOST as $SESS_DBUSER";
		echo "<li>MySQL Error: ", mysql_error();
		die;
   }

   if (! mysql_select_db($SESS_DBNAME, $DBH)) {
		echo "<li>Unable to select database $SESS_DBNAME";
		die;
	}

   if ($_COOKIE['PHPSESSID']) {
      $sessionid = $_COOKIE['PHPSESSID'];
      $new_sessionid = md5(microtime().mt_rand(10000,50000));
      $qry = "UPDATE sessions SET sessionid = '$new_sessionid' WHERE sessionid = '$sessionid'";
      $qid = mysql_query($qry, $DBH);
      session_id($new_sessionid);
      } else {
      session_id(md5(microtime().mt_rand(10000,50000)));
   }
}

?>
The idea being, that as soon as the page is accessed, then the sessionid changes, providing more security.

What ya think???

Is it more secure?

Can it be improved upon?

Thx guys
Post Reply