in php.ini registered_globals is off. Is it a good idea to use session_start() in start of all script that use session variables? why
use of session_start() when registered_globals is off ??
Moderator: General Moderators
use of session_start() when registered_globals is off ??
what do you think about this:
in php.ini registered_globals is off. Is it a good idea to use session_start() in start of all script that use session variables? why
in php.ini registered_globals is off. Is it a good idea to use session_start() in start of all script that use session variables? why
- twigletmac
- Her Royal Site Adminness
- Posts: 5371
- Joined: Tue Apr 23, 2002 2:21 am
- Location: Essex, UK
-
Bennettman
- Forum Contributor
- Posts: 130
- Joined: Sat Jun 15, 2002 3:58 pm
yes,
Bennettman is rigth.
I want use $_SESSION array in my script for security reasons and want to registered_globals be off always ,but if i use session_start() in only one script , in other script can acsess to $_SESSION array element without using session_start() in start of it. is it normal? or is there a security hole?which is the best:using $_SESSION array or using of session_is_registerd()?
Thanks
Bennettman is rigth.
I want use $_SESSION array in my script for security reasons and want to registered_globals be off always ,but if i use session_start() in only one script , in other script can acsess to $_SESSION array element without using session_start() in start of it. is it normal? or is there a security hole?which is the best:using $_SESSION array or using of session_is_registerd()?
Thanks
yes, it's normal.
This needs to be done for each request you want to use sessions with. http is stateless, so you can't distinguish between the requests (not completely true, but anyway), so you can't tell which request is the follow-up of another. The only way is to use data that the client provides with each request. The standard-mechanisms of php use a value (session-key) passed as cookie or via get/post with the request. session_start() now searches for this value, it's supposed to be unique so it can identify a chain of requests of the same client. This value also identifies a set of data which is loaded by session_start(). This set is what you see as $_SESSION. When the script is done, i.e. one request is handled, (or you shut down the session manually) the set is stored again. the session-handling started by session_start() also tries to assure that the unique session-key is passed by the client with the next request.
For more information about sessions/php take a look at http://www.zend.com/zend/tut/session.php
I should have added:session_start() is not only a good idea, it's mandatory. It starts up the session handling, i.e. see wether there is a session-token within the request or create one, then load the stored session-data (if there is any)
This needs to be done for each request you want to use sessions with. http is stateless, so you can't distinguish between the requests (not completely true, but anyway), so you can't tell which request is the follow-up of another. The only way is to use data that the client provides with each request. The standard-mechanisms of php use a value (session-key) passed as cookie or via get/post with the request. session_start() now searches for this value, it's supposed to be unique so it can identify a chain of requests of the same client. This value also identifies a set of data which is loaded by session_start(). This set is what you see as $_SESSION. When the script is done, i.e. one request is handled, (or you shut down the session manually) the set is stored again. the session-handling started by session_start() also tries to assure that the unique session-key is passed by the client with the next request.
session_register is more or less deprecated. Without good reason don't use it, use $_SESSION instead.http://de.php.net/session_register wrote:register_globals: important note: Since PHP 4.2.0, the default value for the PHP directive register_globals is off. The PHP community encourages all to not rely on this directive but instead use other means, such as the superglobals.
For more information about sessions/php take a look at http://www.zend.com/zend/tut/session.php