use of session_start() when registered_globals is off ??

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
maldar
Forum Commoner
Posts: 49
Joined: Mon Aug 18, 2003 4:39 pm

use of session_start() when registered_globals is off ??

Post by maldar »

what do you think about this:
in php.ini registered_globals is off. Is it a good idea to use session_start() in start of all script that use session variables? why :?:
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

edit: oops, wrong thread :-S

session_start() is not only a good idea, it's mandatory. It starts up the session handling, i.e. see wether there is a session-token within the request or create one, then load the stored session-data (if there is any), ...
User avatar
twigletmac
Her Royal Site Adminness
Posts: 5371
Joined: Tue Apr 23, 2002 2:21 am
Location: Essex, UK

Post by twigletmac »

As volka said, but also, session_start() doesn't have anything to do with register_globals, why do you ask?

Mac
Bennettman
Forum Contributor
Posts: 130
Joined: Sat Jun 15, 2002 3:58 pm

Post by Bennettman »

As far as I know, it just activates the $_SESSION array for use if register_globals is off. If you don't have it before other session commands (like setting variables) they won't work.
maldar
Forum Commoner
Posts: 49
Joined: Mon Aug 18, 2003 4:39 pm

Post by maldar »

yes,
Bennettman is rigth.
I want use $_SESSION array in my script for security reasons and want to registered_globals be off always ,but if i use session_start() in only one script , in other script can acsess to $_SESSION array element without using session_start() in start of it. is it normal? or is there a security hole?which is the best:using $_SESSION array or using of session_is_registerd()?
Thanks
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

yes, it's normal.
session_start() is not only a good idea, it's mandatory. It starts up the session handling, i.e. see wether there is a session-token within the request or create one, then load the stored session-data (if there is any)
I should have added:
This needs to be done for each request you want to use sessions with. http is stateless, so you can't distinguish between the requests (not completely true, but anyway), so you can't tell which request is the follow-up of another. The only way is to use data that the client provides with each request. The standard-mechanisms of php use a value (session-key) passed as cookie or via get/post with the request. session_start() now searches for this value, it's supposed to be unique so it can identify a chain of requests of the same client. This value also identifies a set of data which is loaded by session_start(). This set is what you see as $_SESSION. When the script is done, i.e. one request is handled, (or you shut down the session manually) the set is stored again. the session-handling started by session_start() also tries to assure that the unique session-key is passed by the client with the next request.
http://de.php.net/session_register wrote:register_globals: important note: Since PHP 4.2.0, the default value for the PHP directive register_globals is off. The PHP community encourages all to not rely on this directive but instead use other means, such as the superglobals.
session_register is more or less deprecated. Without good reason don't use it, use $_SESSION instead.

For more information about sessions/php take a look at http://www.zend.com/zend/tut/session.php
maldar
Forum Commoner
Posts: 49
Joined: Mon Aug 18, 2003 4:39 pm

Post by maldar »

Thanks a lot Volka :P
your write help me at the best way.Thanks again
Post Reply