I dont understand a concept related to sessions.

Not for 'how-to' coding questions but PHP theory instead, this forum is here for those of us who wish to learn about design aspects of programming with PHP.

Moderator: General Moderators

Post Reply
User avatar
raghavan20
DevNet Resident
Posts: 1451
Joined: Sat Jun 11, 2005 6:57 am
Location: London, UK
Contact:

I dont understand a concept related to sessions.

Post by raghavan20 »

can any one explain these two paragraphs for me?

wot does it mean by "If you propagate the session ID via cookies,"? :?
If you propagate the session ID via cookies, the default cookie lifetime is 0, meaning that the cookie is deleted as soon as the user closes the browser. You can influence the cookie's lifetime with the configuration value lifetime.
I normally have used only session_id(), session_start() and $_SESSION["variable_name"] so I am unaware of wot they are talking of.

wots this again??? :?
If you don't use cookies but pass the session ID via GET or POST instead, you need to pay special attention to the garbage collection routines.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Re: I dont understand a concept related to sessions.

Post by feyd »

raghavan20 wrote:can any one explain these two paragraphs for me?

wot does it mean by "If you propagate the session ID via cookies,"? :?
If you propagate the session ID via cookies, the default cookie lifetime is 0, meaning that the cookie is deleted as soon as the user closes the browser. You can influence the cookie's lifetime with the configuration value lifetime.
If your sessions are passed via cookies.
raghavan20 wrote:I normally have used only session_id(), session_start() and $_SESSION["variable_name"] so I am unaware of wot they are talking of.

wots this again??? :?
If you don't use cookies but pass the session ID via GET or POST instead, you need to pay special attention to the garbage collection routines.
Garbage collection is an automatic process that is carried out periodically to clean the system of old session information. Someone accessing a link with a session ID in it may have an ID that has been destroyed, potentially changing the page's reaction. You need to take care with how you want to respond to the information in the session disappearing.
User avatar
raghavan20
DevNet Resident
Posts: 1451
Joined: Sat Jun 11, 2005 6:57 am
Location: London, UK
Contact:

Re: I dont understand a concept related to sessions.

Post by raghavan20 »

feyd wrote:
raghavan20 wrote:can any one explain these two paragraphs for me?

wot does it mean by "If you propagate the session ID via cookies,"? :?
If you propagate the session ID via cookies, the default cookie lifetime is 0, meaning that the cookie is deleted as soon as the user closes the browser. You can influence the cookie's lifetime with the configuration value lifetime.
If your sessions are passed via cookies.
I am really sorry feyd, still I dont understand wot do you mean by passing sessions via cookie.
you once told me that sessions are stored in server and cookies are stored in client machine.

why do one have to pass a session id using GET or POST?
wots the necessity?
If you normally want to check for session hijacking.
you can compare the sessionid from the database(initially store during login) with current session id.

Code: Select all

session_start();
if ($sessId=session_id())//$sessId is the value from the db.
{//use redirect};
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

It's refering to the session ID. In php, the session ID is transported via cookies and/or URL, depending on php system settings.

Session hijacking detection only involves the ID to see if it already exists. You wouldn't really have a way to detect a different ID if that's all you use to link a session with a user. Checking that the session's IP doesn't change too radically (steps outside the ISP it's attached to) can help, but as we've said previously, IP is quite unreliable.
User avatar
sweatje
Forum Contributor
Posts: 277
Joined: Wed Jun 29, 2005 10:04 pm
Location: Iowa, USA

Post by sweatje »

You can do some reading on transparent session ID propogation for more info:

from http://www.php.net/session
php manual wrote:session.use_trans_sid boolean

session.use_trans_sid whether transparent sid support is enabled or not. Defaults to 0 (disabled).

Note: For PHP 4.1.2 or less, it is enabled by compiling with --enable-trans-sid. From PHP 4.2.0, trans-sid feature is always compiled.

URL based session management has additional security risks compared to cookie based session management. Users may send a URL that contains an active session ID to their friends by email or users may save a URL that contains a session ID to their bookmarks and access your site with the same session ID always, for example.
and
php manual wrote:Passing the Session ID

There are two methods to propagate a session id:

*

Cookies
*

URL parameter

The session module supports both methods. Cookies are optimal, but because they are not always available, we also provide an alternative way. The second method embeds the session id directly into URLs.

PHP is capable of transforming links transparently. Unless you are using PHP 4.2 or later, you need to enable it manually when building PHP. Under Unix, pass --enable-trans-sid to configure. If this build option and the run-time option session.use_trans_sid are enabled, relative URIs will be changed to contain the session id automatically.

Note: The arg_separator.output php.ini directive allows to customize the argument seperator. For full XHTML conformance, specify & there.

Alternatively, you can use the constant SID which is always defined. If the client did not send an appropriate session cookie, it has the form session_name=session_id. Otherwise, it expands to an empty string. Thus, you can embed it unconditionally into URLs.

The following example demonstrates how to register a variable, and how to link correctly to another page using SID.
Post Reply