Transcript Session

Maintaining State in
PHP with Sessions
What is a “Session”?



A continuous period of access, unique to each user that
requests a PHP page from a website
Used to store “state” information on a Web server, e.g.
user name, log-in state, authorization status, etc.
Only available for the current browser session
Try It





Navigate to
http://ned.highline.edu/~tostrander/215/sessions/login.php
Login with username: bob, password: b123
Copy/paste the URL to another tab in the same browser
Close the browser and reopen it. Does it remember you?
Paste the URL into another browser. What happens?
Cookies v. Sessions
Cookies
Sessions
Limited storage space
Practically unlimited
space
Stored client-side
(insecure)
Stored server-side
(reasonably secure)
User controlled (can be
disabled)
No user control
How do ‘Sessions’ work?

Each user is assigned a unique number, or session id, e.g.
26fe536a534d3c7cde4297abb45e275a
How do ‘Sessions’ work?


session id is stored in a cookie or passed between pages
via the URL.
Session data is stored in a text file on the server


Filename is sess_sessionid
Session data can be accessed through a PHP superglobal,
$_SESSION.
Sessions are easy to
implement as PHP does
all the work!
Starting or Resuming a Session
session_start();


Must be called before any output to browser
Must be called on every page that will participate in
the session



If session_start() is not called, session data will not be
available
No parameters
No return value
Starting or Resuming a Session
session_start();



PHP looks for a valid session id in the $_COOKIE
or $_GET superglobals
If found, it loads the registered session variables
If none found, a new session id is created
Storing Session Data

The $_SESSION superglobal array can be used to store
any session data.
$_SESSION['name'] = $name;
$_SESSION['age'] = $age;
Reading Session Data

Data is simply read back from the $_SESSION
superglobal array.
$name = $_SESSION['name'];
$age = $_SESSION['age'];
Try It

Create a PHP script, session1.php
<?php
session_start();
$_SESSION['name'] = "Jose";
$_SESSION['age'] = 30;
?>

Create a PHP script, session2.php
Navigate to
session1.php, then
to session2.php
<?php
session_start();
$name = $_SESSION['name'];
$age = $_SESSION['age'];
echo $name . " is " . $age;
?>
Session Propagation


Sessions need to pass the session ID between pages as a
user browses
Two ways:



Cookie propagation: used when cookies are turned on
URL propagation: used when cookies are turned off
Use session_id() to retrieve Session ID
Try It

Print the session ID in your PHP scripts
<?php
session_start();
$_SESSION['name'] = "Jose";
$_SESSION['age'] = 30;
echo session_id();
?>
Cookie Propagation


Client’s Web browser must be configured to accept
cookies
Session ID is assigned to a temporary cookie called
PHPSESSID
URL Propagation

The session id is propagated in the URL
(…some_folder/index.php?sid=26fe536a534d3c7cde4297abb45e275a)

PHP provides a global constant, SID, to append the
session id to any internal links
echo "<a href='nextpage.php? " . SID
. "'>Next page</a> ";

URL propagation is turned off on ned as a security
precaution. Therefore, if cookies are turned off, sessions
won't work.
And this means..?

We must be aware that sessions can be propagated
through the URL, and append the constant SID to
any internal links.

If sessions are being propagated by cookies, the
constant SID is an empty string, so the session id is
not passed twice.
Destroying a Session
Often not required, but if we want to destroy a session:
// unset one session variable
unset($_SESSION[‘username’]);
// clear all session variables
$_SESSION = array();
// destroy session
session_destroy();
Session Expiry

By default, PHP sessions expire:

after a certain length of inactivity (default 1440s), the PHP
garbage collector deletes session variables.


if propagated by cookies, default is to set a cookie that is
destroyed when the browser is closed.


Important as most sessions will not be explicitly destroyed.
Cookie properties can be modified with session_set_cookie_params
if required
If URL propagated, session id is lost as soon as the site is left.
Long-term Sessions

For most practical purposes PHP sessions can be
regarded as short-term.

Long-term session data (e.g. ‘remember me’ boxes) is
usually maintained by explicitly setting and retrieving
cookie data.
Session Hijacking

A security issue: a malicious user gets hold of an
active session id that is not their own...






Joe is browsing site with cookies disabled
(URL propagation)
Joe logs in
Joe sends an interesting link to Suzy by email
The URL contains his session id
Suzy looks at the link before Joe’s session id is destroyed,
and ‘hijacks’ Joe’s session
Suzy is now logged in as Joe
… rule of thumb …
If you are truly security conscious you
should assume that a session propagated
by URL may be compromised.
Propagation using cookies is more
secure, but still not foolproof.