Sessions with Register Globals Off.

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
harryzhong
Forum Newbie
Posts: 3
Joined: Mon Sep 22, 2008 11:56 pm

Sessions with Register Globals Off.

Post by harryzhong »

Hello All.

I recently turned off register_globals on my shared hosting site, by creating a php.ini file with the line in it to turn it off.

Everything works fine, except my session data seems to dissapear after about 2 mins!!

Here is the script I am using to test this.

Code: Select all

<?php
session_start();
 
if(session_is_registered("isSessionActive")){
echo 'session var is registered.<br><br>';
} else {
session_register("isSessionActive");
echo 'session var not registered, just registered it.<br><br>';
}
 
if(empty($_SESSION['isSessionActive'])){
    $_SESSION['isSessionActive'] = 'Session is not active!';
    echo $_SESSION['isSessionActive'];
} else {
    echo 'Session is active.';
}
 
 
?>
When I open a browser and load this page, it says, 'session not registered, just registered it.' & 'Session is not active!'. This makes sense, its the first load, so nothing has been initialized.

When I refresh, I expect to see that the session is registered and is active, which i do.

Now if I leave it for about 2-3 minutes. It goes back to being unregistered! I've tried to print the $_SESSIOn array and its empty!

I've checked my php.ini file and my timeouts for session.gcmaxlifetime is default of 1440 which is i believe 24 minutes.

If i delete the php.ini file i created to turn off register_globals, as in i turn it back on, this problem goes away.

All this is over https, btw.

Am I missing somethign here?

Thanks all.
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Re: Sessions with Register Globals Off.

Post by Maugrim_The_Reaper »

session_is_registered() shouldn't be used with $_SESSION - the first checks for the existence of global variables in the sessions which are probably no longer present since you disabled register_globals. I'd stick solely to using $_SESSION for everything.
harryzhong
Forum Newbie
Posts: 3
Joined: Mon Sep 22, 2008 11:56 pm

Re: Sessions with Register Globals Off.

Post by harryzhong »

Hmmm, do you mean, i don't need to register session variables before using them?

I am using $_SESSION for all my scripts.

My user login area is using $_SESSION to keep track of a login id. On every page load, it checks if that id is there in session & also checks a timestamp in session to gauge inactivity. If its been too long since last activity, it kills the session & prompts for a new login.

But since turning off register_globals, my users are getting kicked out after 2-3 minutes, instead of the 10 minutes I have scripted in my PHP.
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Re: Sessions with Register Globals Off.

Post by Maugrim_The_Reaper »

You could almost say $_SESSION is a drop in replacement for session_register() especially when you are not using register_globals.
harryzhong
Forum Newbie
Posts: 3
Joined: Mon Sep 22, 2008 11:56 pm

Re: Sessions with Register Globals Off.

Post by harryzhong »

Ok, so I've changed my test code to this:

Code: Select all

<?php
session_start();
 
if(empty($_SESSION['isSessionActive'])){
    $_SESSION['isSessionActive'] = 'Session is not active!';
    echo $_SESSION['isSessionActive'];
} else {
    echo 'Session is active.';
}
 
 
?>
my session still resets after 3 mins. What could be going on?
Post Reply