These procedures are effective, i.e, they work. I tested them in an autonomous EasyPHP development environment.
They are efficient, i.e., they are achieved with minimum code that is clean and easy to understand and adapt. The URL remains clean and short, and leads itself to be saved as a bookmark.
They are foolproof. They don't use or impose cookies that users may be suspicious of (with good reasons, nowadays), resent as an invasion of privacy or consider improper use of their hardware, and that malicious minds may tamper with. Users may switch computers and delete cookies with no adverse impact on session handling. Procedures don't rely on the GET method that exposes variables and values for all to know and that could be saved as an improper bookmark. They rather implement the POST method only as a vehicle for user input.
They are secure. They provide minimal hooks for crooked minds. No cookies to steal and tamper with. No revealing URLs.
First use PHP 4.2.0 and set a proper environment. The following procedures were not tested with prior or later versions. Test at your own risks on other versions, but certainly not prior to version 4.
Disable automated session parameters. Set session.auto_start to off, set session.use_trans_id to 0 (zero) and set register_globals to off (as recommended by PHP authors). Take control of your session handling and minimize security risks.
Disable cookies. Set session.use_cookies to off and set variables_order to EGPS. I leave the G (for GET method) to keep the EasyPHP "infos php" script running. In a web production environment, I would consider discarding it.
For testing purposes, you may want to set session.save_handlers to files to minimize other sources of trouble.
In example code below, the ellipsis dots indicate that some code precedes or that more code will follow.
Implement session handling function in your script as follows:
Code: Select all
<?php
session_start();
...Code: Select all
...
$PHPSESSID = session_id();
...Code: Select all
...
if (!isset($_SESSIONї'firstvar']))
$_SESSIONї'firstvar'] = 'undefined'; // registering the variable a default of your choice
...Code: Select all
...
if (!empty($_POSTї'firstvar']))
$_SESSIONї'firstvar'] = $_POSTї'firstvar']; // setting the variable to form input
...Code: Select all
...
$firstvar =& $_SESSIONї'firstvar'];
...Code: Select all
<?php
session_start();
$PHPSESSID = session_id(); // for use in hidden form parameter to reconnect to session
if (!isset($_SESSIONї'firstvar']))
$_SESSIONї'firstvar'] = '0'; // registering the variable a default of your choice
if (!empty($_POSTї'firstvar']))
$_SESSIONї'firstvar'] = $_POSTї'firstvar']; // setting the variable to form input
$firstvar =& $_SESSIONї'firstvar'];
?>
<html>
<head>
<title>PHP Session Handling - Step One</title>
</head>
<body>
<h1>PHP Session Handling - Step One</h1>
<p>My firstvar is <?= $_SESSIONї'firstvar'] ?>. Yes, it is <?= $firstvar ?>.</p>
</body>
</html>Code: Select all
<html>
<head>
<title>PHP Session Handling - Step One</title>
</head>
<body>
<h1>PHP Session Handling - Step One</h1>
<p>My firstvar is <?= $_SESSIONї'firstvar'] ?>. Yes, it is <?= $firstvar ?>.</p>
<form action="step_two.php" method="POST">
<input type="hidden" name="PHPSESSID" value="<?= $PHPSESSID ?>">
<p>Select a number:
<select name="firstvar">
<option value="1">1</option>
<option value="2">2</option>
<option value="3">3</option>
</select>
</p>
<input type="submit" name="submit" value="Submit">
</form>
</body>
</html>Code: Select all
<?php
session_start();
$PHPSESSID = session_id(); // for use in hidden form parameter to reconnect to session
if (!isset($_SESSIONї'firstvar']))
$_SESSIONї'firstvar'] = '0'; // registering the variable a default of your choice
if (!empty($_POSTї'firstvar']))
$_SESSIONї'firstvar'] = $_POSTї'firstvar']; // setting the variable to form input
$firstvar =& $_SESSIONї'firstvar'];
if (!isset($_SESSIONї'secondvar']))
$_SESSIONї'secondvar'] = 'X'; // registering the variable a default of your choice
if (!empty($_POSTї'secondvar']))
$_SESSIONї'secondvar'] = $_POSTї'secondvar']; // setting the variable to form input
$secondvar =& $_SESSIONї'secondvar'];
?>
<html>
<head>
<title>PHP Session Handling - Step Two</title>
</head>
<body>
<h1>PHP Session Handling - Step Two</h1>
<p>My firstvar is <?= $_SESSIONї'firstvar'] ?>. Yes, it is <?= $firstvar ?>.</p>
<p>My secondvar is <?= $_SESSIONї'secondvar'] ?>. Yes, it is <?= $secondvar ?>.</p>
<form action="step_three.php" method="POST">
<input type="hidden" name="PHPSESSID" value="<?= $PHPSESSID ?>">
<p>Select a letter:
<select name="secondvar">
<option value="A">A</option>
<option value="B">B</option>
<option value="C">C</option>
</select>
</p>
<input type="submit" name="submit" value="Submit">
</form>
</body>
</html>Code: Select all
<?php
session_start();
$PHPSESSID = session_id(); // for use in hidden form parameter to reconnect to session
if (!isset($_SESSIONї'firstvar']))
$_SESSIONї'firstvar'] = '0'; // registering the variable a default of your choice
if (!empty($_POSTї'firstvar']))
$_SESSIONї'firstvar'] = $_POSTї'firstvar']; // setting the variable to form input
$firstvar =& $_SESSIONї'firstvar'];
if (!isset($_SESSIONї'secondvar']))
$_SESSIONї'secondvar'] = 'X'; // registering the variable a default of your choice
if (!empty($_POSTї'secondvar']))
$_SESSIONї'secondvar'] = $_POSTї'secondvar']; // setting the variable to form input
$secondvar =& $_SESSIONї'secondvar'];
?>
<html>
<head>
<title>PHP Session Handling - Step Three</title>
</head>
<body>
<h1>PHP Session Handling - Step Three</h1>
<p>My firstvar is <?= $_SESSIONї'firstvar'] ?>. Yes, it is <?= $firstvar ?>.</p>
<p>My secondvar is <?= $_SESSIONї'secondvar'] ?>. Yes, it is <?= $secondvar ?>.</p>
<p>If you successfully implemented these session handling procedures, let the contributor know by sending an email to
<a href="mailto:PHPsession@laurentia.com?Subject=Comments on PHP session handling scripts">PHPsession@laurentia.com</a>.
If you have improvements or any other comments, do the same.
</body>
</html>Contributed by Michel Gélinas, Canada. Email: PHPsession@laurentia.com
Note: This repeated post is reformatted as strongly advocated by the moderator. Code was not changed at all.