1 / 22

Maintaining State in PHP with Sessions

Maintaining State in PHP with Sessions. What is a “Session”?. A continuous period of access, unique to each user that requests a PHP page from a website Used to store “state” information on a Web server, e.g. user name, log-in state, authorization status, etc.

cassia
Download Presentation

Maintaining State in PHP with Sessions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Maintaining State in PHP with Sessions

  2. What is a “Session”? • A continuous period of access, unique to each user that requests a PHP page from a website • Used to store “state” information on a Web server, e.g. user name, log-in state, authorization status, etc. • Only available for the current browser session

  3. Try It • Navigate to http://ned.highline.edu/~tostrander/215/sessions/login.php • Login with username: bob, password: b123 • Copy/paste the URL to another tab in the same browser • Close the browser and reopen it. Does it remember you? • Paste the URL into another browser. What happens?

  4. Cookies v. Sessions

  5. How do ‘Sessions’ work? • Each user is assigned a unique number, or session id, e.g. 26fe536a534d3c7cde4297abb45e275a

  6. How do ‘Sessions’ work? • session id is stored in a cookie or passed between pages via the URL. • Session data is stored in a text file on the server • Filename is sess_sessionid • Session data can be accessed through a PHP superglobal, $_SESSION.

  7. Sessions are easy to implement as PHP does all the work!

  8. Starting or Resuming a Session session_start(); • Must be called before any output to browser • Must be called on every page that will participate in the session • If session_start() is not called, session data will not be available • No parameters • No return value

  9. Starting or Resuming a Session session_start(); • PHP looks for a valid session id in the $_COOKIEor $_GET superglobals • If found, it loads the registered session variables • If none found, a new session id is created

  10. Storing Session Data • The $_SESSION superglobal array can be used to store any session data. $_SESSION['name'] = $name; $_SESSION['age'] = $age;

  11. Reading Session Data • Data is simply read back from the $_SESSION superglobal array. $name = $_SESSION['name']; $age = $_SESSION['age'];

  12. Try It • Create a PHP script, session1.php <?php session_start(); $_SESSION['name'] = "Jose"; $_SESSION['age'] = 30; ?> • Create a PHP script, session2.php <?php session_start(); $name = $_SESSION['name']; $age = $_SESSION['age']; echo $name . " is " . $age; ?> Navigate to session1.php, then to session2.php

  13. Session Propagation • Sessions need to pass the session ID between pages as a user browses • Two ways: • Cookie propagation: used when cookies are turned on • URL propagation: used when cookies are turned off • Use session_id() to retrieve Session ID

  14. Try It • Print the session ID in your PHP scripts <?php session_start(); $_SESSION['name'] = "Jose"; $_SESSION['age'] = 30; echo session_id(); ?>

  15. Cookie Propagation • Client’s Web browser must be configured to accept cookies • Session ID is assigned to a temporary cookie called PHPSESSID

  16. URL Propagation • The session id is propagated in the URL (…some_folder/index.php?sid=26fe536a534d3c7cde4297abb45e275a) • PHP provides a global constant, SID, to append the session id to any internal links echo "<a href='nextpage.php? " . SID . "'>Next page</a>"; • URL propagation is turned off on ned as a security precaution. Therefore, if cookies are turned off, sessions won't work.

  17. And this means..? • We must be aware that sessions can be propagated through the URL, and append the constant SID to any internal links. • If sessions are being propagated by cookies, the constant SID is an empty string, so the session id is not passed twice.

  18. Destroying a Session Often not required, but if we want to destroy a session: // unset one session variable unset($_SESSION[‘username’]); // clear all session variables $_SESSION = array(); // destroy session session_destroy();

  19. Session Expiry • By default, PHP sessions expire: • after a certain length of inactivity (default 1440s), the PHP garbage collector deletes session variables. • Important as most sessions will not be explicitly destroyed. • if propagated by cookies, default is to set a cookie that is destroyed when the browser is closed. • Cookie properties can be modified with session_set_cookie_params if required • If URL propagated, session id is lost as soon as the site is left.

  20. Long-term Sessions • For most practical purposes PHP sessions can be regarded as short-term. • Long-term session data (e.g. ‘remember me’ boxes) is usually maintained by explicitly setting and retrieving cookie data.

  21. Session Hijacking • A security issue: a malicious user gets hold of an active session id that is not their own... • Joe is browsing site with cookies disabled (URL propagation) • Joe logs in • Joe sends an interesting link to Suzy by email • The URL contains his session id • Suzy looks at the link before Joe’s session id is destroyed, and ‘hijacks’ Joe’s session • Suzy is now logged in as Joe

  22. … rule of thumb … If you are truly security conscious you should assume that a session propagated by URL may be compromised. Propagation using cookies is more secure, but still not foolproof.

More Related