Effective, efficient, foolproof, secure session handling
Posted: Tue Jun 10, 2003 6:33 am
Consider this your guide for reliable session handling procedures using PHP 4.2.0 or later versions.
These procedures are effective, i.e, they work. I tested them in an autonomous EasyPHP development environment.
They are efficient, i.e., they are achieved with minimum code that is clean and easy to understand and adapt. The URL remains clean and short, and leads itself to be saved as a bookmark.
They are foolproof. They don't use or impose cookies that users may be suspicious of (with good reasons, nowadays), resent as an invasion of privacy or consider improper use of their hardware, and that malicious minds may tamper with. Users may switch computers and delete cookies with no adverse impact on session handling. Procedures don't rely on the GET method that exposes variables and values for all to know and that could be saved as an improper bookmark. They rather implement the POST method only as a vehicle for user input.
They are secure. They provide minimal hooks for crooked minds. No cookies to steal and tamper with. No revealing URLs.
First use PHP 4.2.0 and set a proper environment. The following procedures were not tested with prior or later versions. Test at your own risks on other versions, but certainly not prior to version 4.
Disable automated session parameters. Set session.auto_start to "off", set session.use_trans_id to "0" (zero) and set register_globals to "off" (as recommended by PHP authors). Take control of your session handling and minimize security risks.
Disable cookies. Set session.use_cookies to "off" and set variables_order to "EGPS". I leave the G (for GET method) to keep the EasyPHP "infos php" script running. In a web production environment, I would consider discarding it.
For testing purposes, you may want to set session.save_handlers to "files" to minimize other sources of trouble.
In example code below, the ellipsis dots indicate that some code precedes or that more code will follow.
Implement session handling function in your script as follows:
Catch the session identifier as a variable for use as an hidden form parameter to reconnect to session, as follows:
Session variables are stored in the superglobal $_SESSION array. If your variable is not registered, setting it will register it. Yes, you can forget the deprecated session_is_registered and session_register functions.
To adjust the session variable to a value input through a form, check for that value and set the session variable:
You can use the value in your session variable by calling it with $_SESSION['firstvar']. You can also call it with $firstvar if you fist create a variable alias (using the equal sign followed by an ampersand as the alias operator) as follows:
Let's recapitulate the code into a full script named step_one.php:
To test that session variables are carried over, change the above html code portion for the following:
The form in the step_one.php script calls upon the step_two.php script. Here it is:
The new form in the step_two.php script calls upon the step_three.php script. Here it is:
The above scripts were tested and work. Happy PHP sessionning!
Contributed by Michel Gélinas, Canada. Email: PHPsession@laurentia.com
[Admin Edit: PHP tags added to make the code more readable]
These procedures are effective, i.e, they work. I tested them in an autonomous EasyPHP development environment.
They are efficient, i.e., they are achieved with minimum code that is clean and easy to understand and adapt. The URL remains clean and short, and leads itself to be saved as a bookmark.
They are foolproof. They don't use or impose cookies that users may be suspicious of (with good reasons, nowadays), resent as an invasion of privacy or consider improper use of their hardware, and that malicious minds may tamper with. Users may switch computers and delete cookies with no adverse impact on session handling. Procedures don't rely on the GET method that exposes variables and values for all to know and that could be saved as an improper bookmark. They rather implement the POST method only as a vehicle for user input.
They are secure. They provide minimal hooks for crooked minds. No cookies to steal and tamper with. No revealing URLs.
First use PHP 4.2.0 and set a proper environment. The following procedures were not tested with prior or later versions. Test at your own risks on other versions, but certainly not prior to version 4.
Disable automated session parameters. Set session.auto_start to "off", set session.use_trans_id to "0" (zero) and set register_globals to "off" (as recommended by PHP authors). Take control of your session handling and minimize security risks.
Disable cookies. Set session.use_cookies to "off" and set variables_order to "EGPS". I leave the G (for GET method) to keep the EasyPHP "infos php" script running. In a web production environment, I would consider discarding it.
For testing purposes, you may want to set session.save_handlers to "files" to minimize other sources of trouble.
In example code below, the ellipsis dots indicate that some code precedes or that more code will follow.
Implement session handling function in your script as follows:
Code: Select all
<?php
session_start();Code: Select all
$PHPSESSID = session_id();Code: Select all
if (!isset($_SESSION['firstvar']))
$_SESSION['firstvar'] = 'undefined'; // registering the variable a default of your choiceCode: Select all
if (!empty($_POST['firstvar']))
$_SESSION['firstvar'] = $_POST['firstvar']; // setting the variable to form inputCode: Select all
$firstvar =& $_SESSION['firstvar'];Code: Select all
<?php
session_start();
$PHPSESSID = session_id(); // for use in hidden form parameter to reconnect to session
if (!isset($_SESSION['firstvar']))
$_SESSION['firstvar'] = '0'; // registering the variable a default of your choice
if (!empty($_POST['firstvar']))
$_SESSION['firstvar'] = $_POST['firstvar']; // setting the variable to form input
$firstvar =& $_SESSION['firstvar'];
?>
<html>
<head>
<title>PHP Session Handling - Step One</title>
</head>
<body>
<h1>PHP Session Handling - Step One</h1>
<p>My firstvar is <?= $_SESSION['firstvar'] ?>. Yes, it is <?= $firstvar ?>.</p>
</body>
</html>Code: Select all
<html>
<head>
<title>PHP Session Handling - Step One</title>
</head>
<body>
<h1>PHP Session Handling - Step One</h1>
<p>My firstvar is <?= $_SESSION['firstvar'] ?>. Yes, it is <?= $firstvar ?>.</p>
<form action="step_two.php" method="POST">
<input type="hidden" name="PHPSESSID" value="<?= $PHPSESSID ?>">
<p>Select a number:
<select name="firstvar">
<option value="1">1</option>
<option value="2">2</option>
<option value="3">3</option>
</select>
</p>
<input type="submit" name="submit" value="Submit">
</form>
</body>
</html>Code: Select all
<?php
session_start();
$PHPSESSID = session_id(); // for use in hidden form parameter to reconnect to session
if (!isset($_SESSION['firstvar']))
$_SESSION['firstvar'] = '0'; // registering the variable a default of your choice
if (!empty($_POST['firstvar']))
$_SESSION['firstvar'] = $_POST['firstvar']; // setting the variable to form input
$firstvar =& $_SESSION['firstvar'];
if (!isset($_SESSION['secondvar']))
$_SESSION['secondvar'] = 'X'; // registering the variable a default of your choice
if (!empty($_POST['secondvar']))
$_SESSION['secondvar'] = $_POST['secondvar']; // setting the variable to form input
$secondvar =& $_SESSION['secondvar'];
?>
<html>
<head>
<title>PHP Session Handling - Step Two</title>
</head>
<body>
<h1>PHP Session Handling - Step Two</h1>
<p>My firstvar is <?= $_SESSION['firstvar'] ?>. Yes, it is <?= $firstvar ?>.</p>
<p>My secondvar is <?= $_SESSION['secondvar'] ?>. Yes, it is <?= $secondvar ?>.</p>
<form action="step_three.php" method="POST">
<input type="hidden" name="PHPSESSID" value="<?= $PHPSESSID ?>">
<p>Select a letter:
<select name="secondvar">
<option value="A">A</option>
<option value="B">B</option>
<option value="C">C</option>
</select>
</p>
<input type="submit" name="submit" value="Submit">
</form>
</body>
</html>Code: Select all
<?php
session_start();
$PHPSESSID = session_id(); // for use in hidden form parameter to reconnect to session
if (!isset($_SESSION['firstvar']))
$_SESSION['firstvar'] = '0'; // registering the variable a default of your choice
if (!empty($_POST['firstvar']))
$_SESSION['firstvar'] = $_POST['firstvar']; // setting the variable to form input
$firstvar =& $_SESSION['firstvar'];
if (!isset($_SESSION['secondvar']))
$_SESSION['secondvar'] = 'X'; // registering the variable a default of your choice
if (!empty($_POST['secondvar']))
$_SESSION['secondvar'] = $_POST['secondvar']; // setting the variable to form input
$secondvar =& $_SESSION['secondvar'];
?>
<html>
<head>
<title>PHP Session Handling - Step Three</title>
</head>
<body>
<h1>PHP Session Handling - Step Three</h1>
<p>My firstvar is <?= $_SESSION['firstvar'] ?>. Yes, it is <?= $firstvar ?>.</p>
<p>My secondvar is <?= $_SESSION['secondvar'] ?>. Yes, it is <?= $secondvar ?>.</p>
<p>If you successfully implemented these session handling procedures, let the contributor know by sending an email to
<a href="mailto:PHPsession@laurentia.com?Subject=Comments on PHP session handling scripts">PHPsession@laurentia.com</a>.
If you have improvements or any other comments, do the same.
</body>
</html>Contributed by Michel Gélinas, Canada. Email: PHPsession@laurentia.com
[Admin Edit: PHP tags added to make the code more readable]