Page 1 of 1
use of session_start() when registered_globals is off ??
Posted: Thu Sep 04, 2003 10:52 am
by maldar
what do you think about this:
in php.ini registered_globals is off. Is it
a good idea to use session_start() in start of all script that use session variables? why

Posted: Thu Sep 04, 2003 11:16 am
by volka
edit: oops, wrong thread :-S
session_start() is not only a good idea, it's mandatory. It starts up the session handling, i.e. see wether there is a session-token within the request or create one, then load the stored session-data (if there is any), ...
Posted: Fri Sep 05, 2003 3:34 am
by twigletmac
As volka said, but also, session_start() doesn't have anything to do with register_globals, why do you ask?
Mac
Posted: Fri Sep 05, 2003 7:33 am
by Bennettman
As far as I know, it just activates the $_SESSION array for use if register_globals is off. If you don't have it before other session commands (like setting variables) they won't work.
Posted: Fri Sep 05, 2003 9:30 am
by maldar
yes,
Bennettman is rigth.
I want use $_SESSION array in my script for security reasons and want to registered_globals be off always ,but if i use session_start() in only one script , in other script can acsess to $_SESSION array element without using session_start() in start of it. is it normal? or is there a security hole?which is the best:using $_SESSION array or using of session_is_registerd()?
Thanks
Posted: Fri Sep 05, 2003 9:40 am
by volka
yes, it's normal.
session_start() is not only a good idea, it's mandatory. It starts up the session handling, i.e. see wether there is a session-token within the request or create one, then load the stored session-data (if there is any)
I should have added:
This needs to be done for each request you want to use sessions with. http is stateless, so you can't distinguish between the requests (not completely true, but anyway), so you can't tell which request is the follow-up of another. The only way is to use data that the client provides with each request. The standard-mechanisms of php use a value (session-key) passed as cookie or via get/post with the request. session_start() now searches for this value, it's supposed to be unique so it can identify a chain of requests of the same client. This value also identifies a set of data which is loaded by session_start(). This set is what you see as $_SESSION. When the script is done, i.e. one request is handled, (or you shut down the session manually) the set is stored again. the session-handling started by session_start() also tries to assure that the unique session-key is passed by the client with the next request.
http://de.php.net/session_register wrote:register_globals: important note: Since PHP 4.2.0, the default value for the PHP directive register_globals is off. The PHP community encourages all to not rely on this directive but instead use other means, such as the superglobals.
session_register is more or less deprecated. Without good reason don't use it, use $_SESSION instead.
For more information about sessions/php take a look at
http://www.zend.com/zend/tut/session.php
Posted: Fri Sep 05, 2003 9:57 am
by maldar
Thanks a lot Volka
your write help me at the best way.Thanks again