Why use session_id

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
jrenzi
Forum Newbie
Posts: 2
Joined: Sun Oct 16, 2005 9:11 am

Why use session_id

Post by jrenzi »

Jcart | Please use

Code: Select all

and

Code: Select all

tags where appropriate when posting code. Read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url][/color]


I have a doubt.
I don't understand why using session_id is necesary.
I can't get to understand why I need them.
I've already created a session manager class and it works quite well without
using session_id. Can anyone tell me why would I need to pass session_id
through URL or cookies?
Here I attach my session_manager class so someone can tell me if i'm doing
something wrong. As I said, it works quite well for me and don't understand
if I should use the session_id somewhere. I know they're there for some reason, but can't see its utility.

Thanks in advance

Code: Select all

class session_manager{

var $s_timeout = 5;

function session_manager()
{
	$this->s_timeout = $s_timeout * 60;
	session_start();
}


function login($user, $pass)
{
	$my_dao = new dao;
	$sql = "Select usuarios.*,delegaciones.ciudad "
				."From usuarios "
				."Inner Join delegaciones ON usuarios.delegacion = delegaciones.id "
				."Where usuarios.usuario = '$user' AND usuarios.`password` = '$pass'";
	$my_dao->query($sql);
	
	if($my_dao->nextrecord())
	{
		$user_id = $my_dao->getfield("id");
		$this->set_user($id);
		return true;
	}else{

		$this->logout();
		return false;
	}
}

function set_user($id)
{
	$_SESSION['s_user_id'] = $id;
	$_SESSION['s_start_time'] = time();
}

function logout()
{
	session_unset();
	session_destroy();
}

function timeout()
{
	$s_time = time() - $_SESSION['s_start_time'];
	if($s_time > $this->s_timeout)
	{
		$this->logout();
		return true;
	}else{
		$_SESSION['s_start_time'] = time();
		return false;
	}
}

function is_logged()
{
	if(isset($_SESSION['s_user_id']))
	{	return true; }
	else
	{	
		$this->logout();
		return false;
	}
}

}

Jcart | Please use

Code: Select all

and

Code: Select all

tags where appropriate when posting code. Read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url][/color]
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

You're automatically passing the session id around. It's used so your code can retrieve the data you've stored in that particular session. If you don't have it, you won't get any information out of the session data..
jrenzi
Forum Newbie
Posts: 2
Joined: Sun Oct 16, 2005 9:11 am

Post by jrenzi »

Could you write me an example so I can see it more clearly?

Thanks
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

an example of what? there's nothing to show that you don't already have... :?
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

Can anyone tell me why would I need to pass session_id
through URL or cookies?
When you set data in $_SESSION, it gets saved to a file and the file is associated with a unique session id.

Now let's say the user login flag in SESSION is set, the login page request ends, and the user requests yet another page. But whoops, they pass no session id.

No session id, no way to know what file they originally used. Result? They get assigned a new session ID instead, they lose their login setting in SESSION.

SESSIONS allow the storage of state data between requests. Otherwise it would be impossible to identify any one page request with any one previous visitor...you need some kind of ID being passed from the client...
Post Reply