Page 1 of 1
How to check if a session exists?
Posted: Sun Jul 20, 2003 10:46 am
by Recoil UK
Hi guys
When using sessions, and tou want to check if a session has existed before, how do you do it?
Thx guys
Posted: Sun Jul 20, 2003 12:20 pm
by Gen-ik
Check if one of the session variables is still active.. for example..
Code: Select all
<?php
if(session_is_registered("username"))
{
// session is still active
}
else
{
// session has died
}
?>
Posted: Sun Jul 20, 2003 12:24 pm
by Recoil UK
Hi
Yeah I know that, maybe I should rephrase the question.
Unless you do session_start(); then it doesnt matter if you check for a session variable or not, its not going to exist.
My question is therefore....
How do I check if a session previously existed, without calling session_start();.
Thx
Posted: Sun Jul 20, 2003 1:13 pm
by Recoil UK
Hi
Quick update on what I,ve found.
I think the following is what I need.
Code: Select all
<?php
if (isset($_COOKIE['PHPSESSID']) {
session_start();
}
?>
Is this secure?
Thx
Posted: Sun Jul 20, 2003 1:19 pm
by Gen-ik
As soon as the browser is closed the session will be erased, so the only way you are going to be able to do this (why do you want to do this anyway?) is to store a cookie on the clients machine with the session details in it. That way you can simply check if the cookie exists.. as long as the client can except cookies, and as long as they don't delete them.
But a session is a exactly what it sounds like, a session, it's only designed to last until the client closes their browser or until it times out.
For perminant stuff either use cookies or store info in a database.
Posted: Sun Jul 20, 2003 1:37 pm
by Recoil UK
Hi
Yeah I know that as soon as the browser is closed, the session will be erased.
What i,m trying to do, is create as custom session handler that changes the sessionid on each page request.
The user also will not be a getting the real sessionid they will be getting one that is added to a randomly generated number
The purpose of this is protect myself against cookie tampering.
Thx
Posted: Sun Jul 20, 2003 1:39 pm
by Recoil UK
Hi again
As soon as the browser is closed the session will be erased, so the only way you are going to be able to do this (why do you want to do this anyway?) is to store a cookie on the clients machine with the session details in it.
Well, i,m already checking to see if the cookie exists by using the isset command above.
Thx
Posted: Sun Jul 20, 2003 2:05 pm
by Gen-ik
The purpose of this is protect myself against cookie tampering.
How?
If someone wants to edit a cookie they can simply open their cookie folder and change what they like. Changing the session id won't protect cookies because the user can check the date of the last cookie added/updated.
Do you mean you are trying to protect the session(s) to prevent 'session hijacking'?
Posted: Sun Jul 20, 2003 3:32 pm
by Recoil UK
Hi
Well yeah, it will be to protect session hijacking, but as sessions use a cookie, albeit, a cookie held in memory, my example is correct.
Using this method, I believe it will be impossible for some to alter the cookie, without me knowing, thereby destroying the session.
Ofcourse, I still wont be able to protect against someone, not logging out or not closing there browser on a public PC, but its a start.
L8rs
Posted: Wed Jul 23, 2003 9:11 pm
by Recoil UK
Hi guys
Ok, i,ve written 2 scripts(well borrowed one and added a second) for my attempt at more secure sessions......
They are both written to be included at the top of the page.
Code: Select all
<?php
$SESS_DBHOST = "******"; /* database server hostname */
$SESS_DBNAME = "******"; /* database name */
$SESS_DBUSER = "******"; /* database user */
$SESS_DBPASS = "******"; /* database password */
$SESS_DBH = "";
$SESS_LIFE = get_cfg_var("session.gc_maxlifetime");
function sess_open($save_path, $session_name) {
global $SESS_DBHOST, $SESS_DBNAME, $SESS_DBUSER, $SESS_DBPASS, $SESS_DBH;
if (!$SESS_DBH = mysql_connect($SESS_DBHOST, $SESS_DBUSER, $SESS_DBPASS)) {
echo "<li>Can't connect to $SESS_DBHOST as $SESS_DBUSER";
echo "<li>MySQL Error: ", mysql_error();
die;
}
if (! mysql_select_db($SESS_DBNAME, $SESS_DBH)) {
echo "<li>Unable to select database $SESS_DBNAME";
die;
}
return true;
}
function sess_close() {
return true;
}
function sess_read($key) {
global $SESS_DBH, $SESS_LIFE;
$qry = "SELECT value FROM sessions WHERE sessionid = '$key' AND expirytime > " . time();
$qid = mysql_query($qry, $SESS_DBH);
if (list($value) = mysql_fetch_row($qid)) {
return $value;
}
return false;
}
function sess_write($key, $val) {
global $SESS_DBH, $SESS_LIFE;
$expirytime = time() + $SESS_LIFE;
$value = addslashes($val);
$qry = "INSERT INTO sessions VALUES ('$key', $expirytime, '$value')";
$qid = mysql_query($qry, $SESS_DBH);
if (!$qid) {
$qry = "UPDATE sessions SET expirytime = $expirytime, value = '$value' WHERE sessionid = '$key' AND expirytime > " . time();
$qid = mysql_query($qry, $SESS_DBH);
}
return $qid;
}
function sess_destroy($key) {
global $SESS_DBH;
$qry = "DELETE FROM sessions WHERE sessionid = '$key'";
$qid = mysql_query($qry, $SESS_DBH);
return $qid;
}
function sess_gc($maxlifetime) {
global $SESS_DBH;
$qry = "DELETE FROM sessions WHERE expirytime < " . time();
$qid = mysql_query($qry, $SESS_DBH);
return mysql_affected_rows($SESS_DBH);
}
session_set_save_handler(
"sess_open",
"sess_close",
"sess_read",
"sess_write",
"sess_destroy",
"sess_gc");
?>
Code: Select all
<?php
function session_security() {
$SESS_DBHOST = "******"; /* database server hostname */
$SESS_DBNAME = "******"; /* database name */
$SESS_DBUSER = "******"; /* database user */
$SESS_DBPASS = "******";
if (!$DBH = mysql_connect($SESS_DBHOST, $SESS_DBUSER, $SESS_DBPASS)) {
echo "<li>Can't connect to $SESS_DBHOST as $SESS_DBUSER";
echo "<li>MySQL Error: ", mysql_error();
die;
}
if (! mysql_select_db($SESS_DBNAME, $DBH)) {
echo "<li>Unable to select database $SESS_DBNAME";
die;
}
if ($_COOKIE['PHPSESSID']) {
$sessionid = $_COOKIE['PHPSESSID'];
$new_sessionid = md5(microtime().mt_rand(10000,50000));
$qry = "UPDATE sessions SET sessionid = '$new_sessionid' WHERE sessionid = '$sessionid'";
$qid = mysql_query($qry, $DBH);
session_id($new_sessionid);
} else {
session_id(md5(microtime().mt_rand(10000,50000)));
}
}
?>
The idea being, that as soon as the page is accessed, then the sessionid changes, providing more security.
What ya think???
Is it more secure?
Can it be improved upon?
Thx guys