Session in COOKIE or GET

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
anjanesh
DevNet Resident
Posts: 1679
Joined: Sat Dec 06, 2003 9:52 pm
Location: Mumbai, India

Session in COOKIE or GET

Post by anjanesh »

Hi

When using Sessions, I normally did $PHPSESSID but when register_globals is Off then I got to use $_COOKIE['PHPSESSID']

What if cookies are off and its sent in the url, where I would need to access it as $_GET['PHPSESSID']

I would to so something like
$PHPSESSID = $_COOKIE['PHPSESSID'] | $_GET['PHPSESSID'];

Is that possible ?

Thanks
User avatar
m3mn0n
PHP Evangelist
Posts: 3548
Joined: Tue Aug 13, 2002 3:35 pm
Location: Calgary, Canada

Post by m3mn0n »

Test it out and see. ;)
Last edited by m3mn0n on Thu Dec 22, 2005 10:23 am, edited 1 time in total.
User avatar
anjanesh
DevNet Resident
Posts: 1679
Joined: Sat Dec 06, 2003 9:52 pm
Location: Mumbai, India

Post by anjanesh »

$PHPSESSID = $_COOKIE['PHPSESSID'] | $_GET['PHPSESSID']; obviously doesnt work in PHP - but I was hoping some alternative to achieve this line.
How would I know if PHPSESSID (assuming session.name is PHPSESSID) is coming from COOKIE or GET ?

$_REQUEST['PHPSESSID'] does work but I still cant figure out if its from COOKIE or GET (without using isset($_COOKIE['PHPSESSID']) and isset($_GET['PHPSESSID']))
Last edited by anjanesh on Thu Dec 22, 2005 11:52 am, edited 1 time in total.
User avatar
m3mn0n
PHP Evangelist
Posts: 3548
Joined: Tue Aug 13, 2002 3:35 pm
Location: Calgary, Canada

Post by m3mn0n »

If register globals is off, try using $HTTP_SESSION_VARS instead of $_SESSION.

If you're worried about variable poisoning:

eg. from the manual ( http://php.net/manual/en/security.globals.php ):

Code: Select all

<?php
if (isset($_COOKIE['MAGIC_COOKIE'])) {

   // MAGIC_COOKIE comes from a cookie.
   // Be sure to validate the cookie data!

} elseif (isset($_GET['MAGIC_COOKIE']) || isset($_POST['MAGIC_COOKIE'])) {

   mail("admin@example.com", "Possible breakin attempt", $_SERVER['REMOTE_ADDR']);
   echo "Security violation, admin has been alerted.";
   exit;

} else {

   // MAGIC_COOKIE isn't set through this REQUEST

}
?>
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Post by josh »

I don't get the problem, who cares if it comes from the cookie or from the GET data,


anyways back on topic:

I usually use this handy function
http://us2.php.net/session_id
User avatar
anjanesh
DevNet Resident
Posts: 1679
Joined: Sat Dec 06, 2003 9:52 pm
Location: Mumbai, India

Post by anjanesh »

jshpro2 wrote:I don't get the problem, who cares if it comes from the cookie or from the GET data
Im using $_COOKIES[session_name()] in my code.
This assumes cookies is enabled on the client side.

What if one client has cookie disabled ? Automatically the session name would be sent across in $_GET right ? Because cookies are disabled.
In this case $_COOKIES[session_name()] will return undefined index.
User avatar
m3mn0n
PHP Evangelist
Posts: 3548
Joined: Tue Aug 13, 2002 3:35 pm
Location: Calgary, Canada

Post by m3mn0n »

*slaps forehead*

Gotcha now. I'd check against the cookie first because that's the way you normally want it to go.... then if that doesn't exist/isn't set, then extract get and parse it to make sure no XSS attack can be done.

A model similar to the code I posted above should work.
User avatar
anjanesh
DevNet Resident
Posts: 1679
Joined: Sat Dec 06, 2003 9:52 pm
Location: Mumbai, India

Post by anjanesh »

Thanks for your input.
Anyway, Im now thinking....this will be more work to check which super-global is sending the session name & id.

If you disable cookies and try logging into yahoo mail you'll get the msg :
The browser you're using refuses to sign in. (cookies rejected)
Guess this is not worth it ? Force users to switch on cookies ? Or is it worth coding to receive session data in either of the streams ? Y! giant hasnt atleast !
User avatar
m3mn0n
PHP Evangelist
Posts: 3548
Joined: Tue Aug 13, 2002 3:35 pm
Location: Calgary, Canada

Post by m3mn0n »

I recommend that.

I personally refuse to support people who don't allow my site to set cookies.

It's either allow it, or sorry, you're out of luck. :wink:
User avatar
AKA Panama Jack
Forum Regular
Posts: 878
Joined: Mon Nov 14, 2005 4:21 pm

Post by AKA Panama Jack »

Sami wrote:I recommend that.

I personally refuse to support people who don't allow my site to set cookies.

It's either allow it, or sorry, you're out of luck. :wink:
Thumbs up there...

On our sites if you have disabled cookie support in your browser we don't care if you never come to the site. Sometimes people can be more than a little anal/paranoid when it comes to security.
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

I agree, I hate using GET sessids because the potential for some unknowing user to post a url complete with session id is obvious. If they are completely against cookies, and can't even be bothered to allow a domain specific list of cookies, then they shoudn't expect anything on the net to be capable of maintaining state between requests.

Personally I disable passing the session by GET - its a security risk to the user, and yes I'm a bit obsessive when it comes to security...;)
User avatar
anjanesh
DevNet Resident
Posts: 1679
Joined: Sat Dec 06, 2003 9:52 pm
Location: Mumbai, India

Post by anjanesh »

Under Sessions and security in PHP Manual
Second, a more active attacker might listen to your network traffic. If it is not encrypted, session ids will flow in plain text over the network.
Even 'cookies' can be listened to over network traffic.
Do you encrypt session ids when not over SSL ?
Post Reply