PHP Sessions Not working

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

QuickSnail
Forum Commoner
Posts: 46
Joined: Fri Dec 21, 2007 11:13 am

Re: PHP Sessions Not working

Post by QuickSnail »

Wow. Thank you for such a large post full of a lot of info. Thank you.

The ip changing is a good issue. I thought of it but didn't put it to a great concern.
Do you have other suggestion on checks to run through? As far as the idea of the ip checker.
User avatar
Stryks
Forum Regular
Posts: 746
Joined: Wed Jan 14, 2004 5:06 pm

Re: PHP Sessions Not working

Post by Stryks »

You can generate some basic info abut your users system and use that to create a 'fingerprint' of their system. This 'fingerprint' is hardly unique, but it is static per user. So if a user is using IE 7 on his XP box, and he switches to firefox, HTTP_USER_AGENT will change and so you force a re-login. Same if a user suddenly pops up with the same browser on a mac, or vista.

Code: Select all

<?php
 
session_start();
 
// USER LOGS IN 
$_SESSION['fingerprint'] = md5('your_super_secret_code' . $_SERVER['HTTP_USER_AGENT'] . session_id());  
?>
 
... and verify with ...

Code: Select all

<?php
 
session_start();
 
$fingerprint = md5('your_super_secret_code' . $_SERVER['HTTP_USER_AGENT'] . session_id());
if( $_SESSION['fingerprint'] != $fingerprint) 
    // This user has a different fingerprint than was expected
    echo "You must log in again to continue";
 
I'm sure I have an excellent link around here somewhere for an explanation of sessions and session security. I think I might have originally got that code from there actually. I'll have a hunt around and see if I can find it.

Cheers
Last edited by Stryks on Tue Oct 28, 2008 6:59 am, edited 1 time in total.
User avatar
Stryks
Forum Regular
Posts: 746
Joined: Wed Jan 14, 2004 5:06 pm

Re: PHP Sessions Not working

Post by Stryks »

Here is the link I was thinking of.

An excellent read, but seriously, don't go browsing the site ... you may never get around to coding ever again. :P
User avatar
papa
Forum Regular
Posts: 958
Joined: Wed Aug 27, 2008 3:36 am
Location: Sweden/Sthlm

Re: PHP Sessions Not working

Post by papa »

Stryks wrote:Here is the link I was thinking of.

An excellent read, but seriously, don't go browsing the site ... you may never get around to coding ever again. :P
Great article I must say!
QuickSnail
Forum Commoner
Posts: 46
Joined: Fri Dec 21, 2007 11:13 am

Re: PHP Sessions Not working

Post by QuickSnail »

Great article very informative.

It stated a very short comment about cookies and if a user doesn't accept cookies.
How might I go by logging a user in if cookies are not accepted? Should I prompt to allow cookies?
User avatar
Stryks
Forum Regular
Posts: 746
Joined: Wed Jan 14, 2004 5:06 pm

Re: PHP Sessions Not working

Post by Stryks »

I don't really know if I am the best one to answer you on that one to be honest. I usually just require cookies to be enabled and say so on my Terms Of Use page or note it elsewhere. It's standard practice that cookies be enabled, but I do know of some who don't allow them.

I believe that sessions just fail if the use does not have cookies enabled, as the script does not receive any session ID.

As for designing your site to work without cookies, I don't think it happens automatically like cookie based sessions do. Oh, wait .. the manual says ...
PHP is capable of transforming links transparently. Unless you are using PHP 4.2.0 or later, you need to enable it manually when building PHP. Under Unix, pass --enable-trans-sid to configure. If this build option and the run-time option session.use_trans_sid are enabled, relative URIs will be changed to contain the session id automatically.
What this means for later versions, I'm not sure. Perhaps it IS be default in later versions. I always thought that you had to specifically pass the session ID in the URL ... such as in the manual page example.

Code: Select all

<?php
 
session_start();
 
if (empty($_SESSION['count'])) {
 $_SESSION['count'] = 1;
} else {
 $_SESSION['count']++;
}
?>
 
<p>
Hello visitor, you have seen this page <?php echo $_SESSION['count']; ?> times.
</p>
 
<p>
To continue, <a href="nextpage.php?<?php echo htmlspecialchars(SID); ?>">click
here</a>.
</p>
User avatar
Stryks
Forum Regular
Posts: 746
Joined: Wed Jan 14, 2004 5:06 pm

Re: PHP Sessions Not working

Post by Stryks »

Just had a bit of a tinker with a simple sessions page with my cookies off, and as expected, it just fails to initialize the session.

Using the session ID method from the manual seems to work a treat.

To catch non-cookie users, you could have users redirected to a page (let's say post_login.php) after they have logged in successfully and their session data has been set. If they hit that page and they have no session ID, bounce them to a warning page saying they have not been logged in, possibly due to a cookie problem. Maybe give a few instructions on turning them back on. Then let them choose to either continue using a less secure method, or try again with cookies enabled.

Either way, they would have to log in again.

On the other hand, If they reach post_login.php and the session ID is fine, then bounce them back out to wherever you need them to go.

But seriously, I don't really see any problem with using sessions with cookies and taking as many of the countermeasures mentioned earlier to limit issues as your desired user experience will allow.

There is a risk in either case, but I'd rather have my session ID's in a cookie than in every URL.

Cheers
QuickSnail
Forum Commoner
Posts: 46
Joined: Fri Dec 21, 2007 11:13 am

Re: PHP Sessions Not working

Post by QuickSnail »

Thank you so much for your help, all of you.
User avatar
califdon
Jack of Zircons
Posts: 4484
Joined: Thu Nov 09, 2006 8:30 pm
Location: California, USA

Re: PHP Sessions Not working

Post by califdon »

Here's a fairly good tutorial on Sessions and Cookies and their relations, and the alternatives of using url (GET) variables or form (POST) variables: http://www.free2code.net/tutorials/view ... page1.html
Post Reply