220 likes | 426 Views
Maintaining State in PHP with Sessions. What is a “Session”?. A continuous period of access, unique to each user that requests a PHP page from a website Used to store “state” information on a Web server, e.g. user name, log-in state, authorization status, etc.
E N D
What is a “Session”? • A continuous period of access, unique to each user that requests a PHP page from a website • Used to store “state” information on a Web server, e.g. user name, log-in state, authorization status, etc. • Only available for the current browser session
Try It • Navigate to http://ned.highline.edu/~tostrander/215/sessions/login.php • Login with username: bob, password: b123 • Copy/paste the URL to another tab in the same browser • Close the browser and reopen it. Does it remember you? • Paste the URL into another browser. What happens?
How do ‘Sessions’ work? • Each user is assigned a unique number, or session id, e.g. 26fe536a534d3c7cde4297abb45e275a
How do ‘Sessions’ work? • session id is stored in a cookie or passed between pages via the URL. • Session data is stored in a text file on the server • Filename is sess_sessionid • Session data can be accessed through a PHP superglobal, $_SESSION.
Starting or Resuming a Session session_start(); • Must be called before any output to browser • Must be called on every page that will participate in the session • If session_start() is not called, session data will not be available • No parameters • No return value
Starting or Resuming a Session session_start(); • PHP looks for a valid session id in the $_COOKIEor $_GET superglobals • If found, it loads the registered session variables • If none found, a new session id is created
Storing Session Data • The $_SESSION superglobal array can be used to store any session data. $_SESSION['name'] = $name; $_SESSION['age'] = $age;
Reading Session Data • Data is simply read back from the $_SESSION superglobal array. $name = $_SESSION['name']; $age = $_SESSION['age'];
Try It • Create a PHP script, session1.php <?php session_start(); $_SESSION['name'] = "Jose"; $_SESSION['age'] = 30; ?> • Create a PHP script, session2.php <?php session_start(); $name = $_SESSION['name']; $age = $_SESSION['age']; echo $name . " is " . $age; ?> Navigate to session1.php, then to session2.php
Session Propagation • Sessions need to pass the session ID between pages as a user browses • Two ways: • Cookie propagation: used when cookies are turned on • URL propagation: used when cookies are turned off • Use session_id() to retrieve Session ID
Try It • Print the session ID in your PHP scripts <?php session_start(); $_SESSION['name'] = "Jose"; $_SESSION['age'] = 30; echo session_id(); ?>
Cookie Propagation • Client’s Web browser must be configured to accept cookies • Session ID is assigned to a temporary cookie called PHPSESSID
URL Propagation • The session id is propagated in the URL (…some_folder/index.php?sid=26fe536a534d3c7cde4297abb45e275a) • PHP provides a global constant, SID, to append the session id to any internal links echo "<a href='nextpage.php? " . SID . "'>Next page</a>"; • URL propagation is turned off on ned as a security precaution. Therefore, if cookies are turned off, sessions won't work.
And this means..? • We must be aware that sessions can be propagated through the URL, and append the constant SID to any internal links. • If sessions are being propagated by cookies, the constant SID is an empty string, so the session id is not passed twice.
Destroying a Session Often not required, but if we want to destroy a session: // unset one session variable unset($_SESSION[‘username’]); // clear all session variables $_SESSION = array(); // destroy session session_destroy();
Session Expiry • By default, PHP sessions expire: • after a certain length of inactivity (default 1440s), the PHP garbage collector deletes session variables. • Important as most sessions will not be explicitly destroyed. • if propagated by cookies, default is to set a cookie that is destroyed when the browser is closed. • Cookie properties can be modified with session_set_cookie_params if required • If URL propagated, session id is lost as soon as the site is left.
Long-term Sessions • For most practical purposes PHP sessions can be regarded as short-term. • Long-term session data (e.g. ‘remember me’ boxes) is usually maintained by explicitly setting and retrieving cookie data.
Session Hijacking • A security issue: a malicious user gets hold of an active session id that is not their own... • Joe is browsing site with cookies disabled (URL propagation) • Joe logs in • Joe sends an interesting link to Suzy by email • The URL contains his session id • Suzy looks at the link before Joe’s session id is destroyed, and ‘hijacks’ Joe’s session • Suzy is now logged in as Joe
… rule of thumb … If you are truly security conscious you should assume that a session propagated by URL may be compromised. Propagation using cookies is more secure, but still not foolproof.