PHP Sessions and Data Persistence Using Session Tracking

PHP Sessions and Data Persistence

Using Session Tracking

Problem

You want to maintain information about a user as she moves through your site.

Solution

Use the sessions module. The session_start() function initializes a session, and accessing an element in the superglobal $_SESSION array tells PHP to keep track of the corresponding variable:

         session_start();

         if (! isset($_SESSION['visits'])) {

              $_SESSION['visits'] = 0;

         }

         $_SESSION['visits']++;

         print 'You have visited here '.$_SESSION['visits'].' times.';

Discussion

The sessions module keeps track of users by issuing them cookies with randomly generated session IDs.

By default, PHP stores session data in files in the /tmp directory on your server. Each session is stored in its own file. To change the directory in which the files are saved, set the session.save_path configuration directive to the new directory in php.ini or with ini_set(). You can also call session_save_path() with the new directory to change directories, but you need to do this before starting the session or accessing any session variables.

To start a session automatically on each request, set session.auto_start to 1 in php.ini. With session.auto_start, there’s no need to call session_start(), so if you have the ability to change your php.ini file, this is easiest.

With the session.use_trans_sid configuration directive turned on, if PHP detects that a user doesn’t accept the session ID cookie, it automatically adds the session ID to URLs and forms. For example, consider this code that prints a URL:

        print '<a href="train.php">Take the A Train</a>';

If sessions are enabled, but a user doesn’t accept cookies, what’s sent to the browser is something like:

        <a href="train.php?PHPSESSID=2eb89f3344520d11969a79aea6bd2fdd">↵

        Take the A Train</a>

In this example, the session name is PHPSESSID and the session ID name is 2eb89f3344520d11969a79aea6bd2fdd. PHP adds those to the URL so they are passed along to the next page. Forms are modified to include a hidden element that passes the session ID.

Due to a variety of security concerns relating to embedding session IDs in URLs, this behavior is disabled by default. To enable transparent session IDs in URLs, you need to turn on session.use_trans_sid in php.ini or through the use of ini_set('session.use_trans_sid', true) in your scripts before the session is started.

Although session.use_trans_sid is convenient, it can cause you some security-related headaches. Because URLs have session IDs in them, distribution of such a URL lets anybody who receives the URL act as the user to whom the session ID was given. A user who copies a URL from his web browser and pastes it into an email message sent to friends unwittingly allows all those friends (and anybody else to whom the message is forwarded) to visit your site and impersonate him.

What’s worse, when a user clicks a link on your site that takes him to another site, the user’s browser passes along the session ID–containing URL as the referring URL to the external site. Even if the folks who run that external site don’t maliciously mine these referrer URLs, referrer logs are often inadvertently exposed to search engines. Search for “PHPSESSID referer” on your favorite search engine, and you’ll probably find some referrer logs with PHP session IDs embedded in them.

Separately, redirects with the Location header aren’t automatically modified, so you have to add a session ID to them yourself using the SID constant:

        $redirect_url = 'http://www.example.com/airplane.php';

        if (defined('SID') && (!isset($_COOKIE[session_name()]))) {

             $redirect_url .= '?' . SID;

        }

        header("Location: $redirect_url");

The session_name() function returns the name of the cookie that stores the session ID, so this code appends the SID constant to $redirect_url if the constant is defined, and the session cookie isn’t set.