How to check if a session exists?
Moderator: General Moderators
How to check if a session exists?
Hi guys
When using sessions, and tou want to check if a session has existed before, how do you do it?
Thx guys
When using sessions, and tou want to check if a session has existed before, how do you do it?
Thx guys
Check if one of the session variables is still active.. for example..
Code: Select all
<?php
if(session_is_registered("username"))
{
// session is still active
}
else
{
// session has died
}
?>Hi
Quick update on what I,ve found.
I think the following is what I need.
Is this secure?
Thx
Quick update on what I,ve found.
I think the following is what I need.
Code: Select all
<?php
if (isset($_COOKIE['PHPSESSID']) {
session_start();
}
?>Thx
As soon as the browser is closed the session will be erased, so the only way you are going to be able to do this (why do you want to do this anyway?) is to store a cookie on the clients machine with the session details in it. That way you can simply check if the cookie exists.. as long as the client can except cookies, and as long as they don't delete them.
But a session is a exactly what it sounds like, a session, it's only designed to last until the client closes their browser or until it times out.
For perminant stuff either use cookies or store info in a database.
But a session is a exactly what it sounds like, a session, it's only designed to last until the client closes their browser or until it times out.
For perminant stuff either use cookies or store info in a database.
Hi
Yeah I know that as soon as the browser is closed, the session will be erased.
What i,m trying to do, is create as custom session handler that changes the sessionid on each page request.
The user also will not be a getting the real sessionid they will be getting one that is added to a randomly generated number
The purpose of this is protect myself against cookie tampering.
Thx
Yeah I know that as soon as the browser is closed, the session will be erased.
What i,m trying to do, is create as custom session handler that changes the sessionid on each page request.
The user also will not be a getting the real sessionid they will be getting one that is added to a randomly generated number
The purpose of this is protect myself against cookie tampering.
Thx
Hi again
Thx
Well, i,m already checking to see if the cookie exists by using the isset command above.As soon as the browser is closed the session will be erased, so the only way you are going to be able to do this (why do you want to do this anyway?) is to store a cookie on the clients machine with the session details in it.
Thx
How?The purpose of this is protect myself against cookie tampering.
If someone wants to edit a cookie they can simply open their cookie folder and change what they like. Changing the session id won't protect cookies because the user can check the date of the last cookie added/updated.
Do you mean you are trying to protect the session(s) to prevent 'session hijacking'?
Hi
Well yeah, it will be to protect session hijacking, but as sessions use a cookie, albeit, a cookie held in memory, my example is correct.
Using this method, I believe it will be impossible for some to alter the cookie, without me knowing, thereby destroying the session.
Ofcourse, I still wont be able to protect against someone, not logging out or not closing there browser on a public PC, but its a start.
L8rs
Well yeah, it will be to protect session hijacking, but as sessions use a cookie, albeit, a cookie held in memory, my example is correct.
Using this method, I believe it will be impossible for some to alter the cookie, without me knowing, thereby destroying the session.
Ofcourse, I still wont be able to protect against someone, not logging out or not closing there browser on a public PC, but its a start.
L8rs
Hi guys
Ok, i,ve written 2 scripts(well borrowed one and added a second) for my attempt at more secure sessions......
They are both written to be included at the top of the page.
The idea being, that as soon as the page is accessed, then the sessionid changes, providing more security.
What ya think???
Is it more secure?
Can it be improved upon?
Thx guys
Ok, i,ve written 2 scripts(well borrowed one and added a second) for my attempt at more secure sessions......
They are both written to be included at the top of the page.
Code: Select all
<?php
$SESS_DBHOST = "******"; /* database server hostname */
$SESS_DBNAME = "******"; /* database name */
$SESS_DBUSER = "******"; /* database user */
$SESS_DBPASS = "******"; /* database password */
$SESS_DBH = "";
$SESS_LIFE = get_cfg_var("session.gc_maxlifetime");
function sess_open($save_path, $session_name) {
global $SESS_DBHOST, $SESS_DBNAME, $SESS_DBUSER, $SESS_DBPASS, $SESS_DBH;
if (!$SESS_DBH = mysql_connect($SESS_DBHOST, $SESS_DBUSER, $SESS_DBPASS)) {
echo "<li>Can't connect to $SESS_DBHOST as $SESS_DBUSER";
echo "<li>MySQL Error: ", mysql_error();
die;
}
if (! mysql_select_db($SESS_DBNAME, $SESS_DBH)) {
echo "<li>Unable to select database $SESS_DBNAME";
die;
}
return true;
}
function sess_close() {
return true;
}
function sess_read($key) {
global $SESS_DBH, $SESS_LIFE;
$qry = "SELECT value FROM sessions WHERE sessionid = '$key' AND expirytime > " . time();
$qid = mysql_query($qry, $SESS_DBH);
if (list($value) = mysql_fetch_row($qid)) {
return $value;
}
return false;
}
function sess_write($key, $val) {
global $SESS_DBH, $SESS_LIFE;
$expirytime = time() + $SESS_LIFE;
$value = addslashes($val);
$qry = "INSERT INTO sessions VALUES ('$key', $expirytime, '$value')";
$qid = mysql_query($qry, $SESS_DBH);
if (!$qid) {
$qry = "UPDATE sessions SET expirytime = $expirytime, value = '$value' WHERE sessionid = '$key' AND expirytime > " . time();
$qid = mysql_query($qry, $SESS_DBH);
}
return $qid;
}
function sess_destroy($key) {
global $SESS_DBH;
$qry = "DELETE FROM sessions WHERE sessionid = '$key'";
$qid = mysql_query($qry, $SESS_DBH);
return $qid;
}
function sess_gc($maxlifetime) {
global $SESS_DBH;
$qry = "DELETE FROM sessions WHERE expirytime < " . time();
$qid = mysql_query($qry, $SESS_DBH);
return mysql_affected_rows($SESS_DBH);
}
session_set_save_handler(
"sess_open",
"sess_close",
"sess_read",
"sess_write",
"sess_destroy",
"sess_gc");
?>Code: Select all
<?php
function session_security() {
$SESS_DBHOST = "******"; /* database server hostname */
$SESS_DBNAME = "******"; /* database name */
$SESS_DBUSER = "******"; /* database user */
$SESS_DBPASS = "******";
if (!$DBH = mysql_connect($SESS_DBHOST, $SESS_DBUSER, $SESS_DBPASS)) {
echo "<li>Can't connect to $SESS_DBHOST as $SESS_DBUSER";
echo "<li>MySQL Error: ", mysql_error();
die;
}
if (! mysql_select_db($SESS_DBNAME, $DBH)) {
echo "<li>Unable to select database $SESS_DBNAME";
die;
}
if ($_COOKIE['PHPSESSID']) {
$sessionid = $_COOKIE['PHPSESSID'];
$new_sessionid = md5(microtime().mt_rand(10000,50000));
$qry = "UPDATE sessions SET sessionid = '$new_sessionid' WHERE sessionid = '$sessionid'";
$qid = mysql_query($qry, $DBH);
session_id($new_sessionid);
} else {
session_id(md5(microtime().mt_rand(10000,50000)));
}
}
?>What ya think???
Is it more secure?
Can it be improved upon?
Thx guys