InfinityQuest - Programming Code Tutorials and Examples with Python, C++, Java, PHP, C#, JavaScript, Swift and more

Menu
  • Home
  • Sitemap

Python Programming Language Best Tutorials and Code Examples

Learn Python Right Now!
Home
PHP
Using Session Tracking in PHP
PHP

Using Session Tracking in PHP

InfinityCoder December 6, 2016

You want to maintain information about a user as she moves through your site.

Use the sessions module. The session_start() function initializes a session, and accessing an element in the superglobal $_SESSION array tells PHP to keep track of the corresponding variable:

1
2
3
4
5
6
session_start();
if (! isset($_SESSION['visits'])) {
    $_SESSION['visits'] = 0;
}
$_SESSION['visits']++;
print 'You have visited here '.$_SESSION['visits'].' times.';

The sessions module keeps track of users by issuing them cookies with randomly generated session IDs.
By default, PHP stores session data in files in the /tmp directory on your server. Each session is stored in its own file.

To change the directory in which the files are saved, set the session.save_path configuration directive to the new directory in php.ini or with ini_set().

You can also call session_save_path() with the new directory to change directories, but you need to do this before starting the session or accessing any session variables.
To start a session automatically on each request, set session.auto_start to 1 in php.ini. With session.auto_start, there’s no need to call session_start(), so if you have the ability to change your php.ini file, this is easiest.
With the session.use_trans_sid configuration directive turned on, if PHP detects that a user doesn’t accept the session ID cookie, it automatically adds the session ID to URLs and forms. For example, consider this code that prints a URL:

1
print '<a href="train.php">Take the A Train</a>';

If sessions are enabled, but a user doesn’t accept cookies, what’s sent to the browser is something like:

1
2
<a href="train.php?PHPSESSID=2eb89f3344520d11969a79aea6bd2fdd">↵
Take the A Train</a>

In this example, the session name is PHPSESSID and the session ID name is 2eb89f3344520d11969a79aea6bd2fdd. PHP adds those to the URL so they are passed along to the next page.

Forms are modified to include a hidden element that passes the session ID.
Due to a variety of security concerns relating to embedding session IDs in URLs, this behavior is disabled by default.

To enable transparent session IDs in URLs, you need to turn on session.use_trans_sid in php.ini or through the use of ini_set(‘ses sion.use_trans_sid’, true) in your scripts before the session is started.
Although session.use_trans_sid is convenient, it can cause you some security-related headaches.

Because URLs have session IDs in them, distribution of such a URL lets anybody who receives the URL act as the user to whom the session ID was given.

A user who copies a URL from his web browser and pastes it into an email message sent to friends unwittingly allows all those friends (and anybody else to whom the message is forwarded) to visit your site and impersonate him.
What’s worse, when a user clicks a link on your site that takes him to another site, the user’s browser passes along the session ID–containing URL as the referring URL to the external site.

Even if the folks who run that external site don’t maliciously mine these referrer URLs, referrer logs are often inadvertently exposed to search engines.

Search for “PHPSESSID referer” on your favorite search engine, and you’ll probably find some referrer logs with PHP session IDs embedded in them.
Separately, redirects with the Location header aren’t automatically modified, so you have to add a session ID to them yourself using the SID constant:

1
2
3
4
5
6
$redirect_url = 'http://www.example.com/airplane.php';
if (defined('SID') && (!isset($_COOKIE[session_name()]))) {
    $redirect_url .= '?' . SID;
}
 
header("Location: $redirect_url");

The session_name() function returns the name of the cookie that stores the session ID, so this code appends the SID constant to $redirect_url if the constant is defined, and the session cookie isn’t set.

Share
Tweet
Email
Prev Article
Next Article

Related Articles

Using an Accelerator in PHP
You want to increase performance of your PHP applications. Use …

Using an Accelerator in PHP

Fetching a URL with the GET Method in PHP
You want to retrieve the contents of a URL. For …

Fetching a URL with the GET Method in PHP

About The Author

InfinityCoder
InfinityCoder

Leave a Reply

Cancel reply

Recent Tutorials InfinityQuest

  • Adding New Features to bash Using Loadable Built-ins in bash
    Adding New Features to bash Using Loadable …
    June 27, 2017 0
  • Getting to the Bottom of Things in bash
    Getting to the Bottom of Things in …
    June 27, 2017 0

Recent Comments

  • fer on Turning a Dictionary into XML in Python
  • mahesh on Turning a Dictionary into XML in Python

Categories

  • Bash
  • PHP
  • Python
  • Uncategorized

InfinityQuest - Programming Code Tutorials and Examples with Python, C++, Java, PHP, C#, JavaScript, Swift and more

About Us

Start learning your desired programming language with InfinityQuest.com.

On our website you can access any tutorial that you want with video and code examples.

We are very happy and honored that InfinityQuest.com has been listed as a recommended learning website for students.

Popular Tags

binary data python CIDR convert string into datetime python create xml from dict python dictionary into xml python how to create xml with dict in Python how to write binary data in Python IP Address read binary data python tutorial string as date object python string to datetime python

Archives

  • June 2017
  • April 2017
  • February 2017
  • January 2017
  • December 2016
  • November 2016
Copyright © 2021 InfinityQuest - Programming Code Tutorials and Examples with Python, C++, Java, PHP, C#, JavaScript, Swift and more
Programming Tutorials | Sitemap