SESSION

HANDLINGfacebook.com/apex.tgi

twitter.com/ApextgiNoida

pinterest.com/apextgi

INTRODUCTION

Session support in PHP consists of a way to preserve certain data across subsequent accesses. This enables you to build more customized applications and increase the appeal of your web site.

A visitor accessing your web site is assigned a unique id, the so-called session id. This is either stored in a cookie on the user side or is propagated in the URL.

The session support allows you to store data between requests in the $_SESSION super global array. When a visitor accesses your site, PHP will check automatically (if session.auto_start is set to 1) or on your request (explicitly through session_start() or implicitly through session_register()) whether a specific session id has been sent with the request. If this is the case, the prior saved environment is recreated.

Code for differentiating Guest and Logged members:

<?php

// Starting the session

session_start();

if(isset($_SESSION['user']))

    { // Code for Logged members

        // Identifying the user

        $user = $_SESSION['user'];   

        // Information for the user.

    }

else

    {   // Code to show Guests

    }

?>

BASIC USAGES OF SESSION

• Sessions are a simple way to store data for individual users against a unique session ID. This can be used to persist state information between page requests. Session IDs are normally sent to the browser via session cookies and the ID is used to retrieve existing session data. The absence of an ID or session cookie lets PHP know to create a new session, and generate a new session ID.

• Sessions follow a simple workflow. When a session is started, PHP will either retrieve an existing session using the ID passed (usually from a session cookie) or if no session is passed it will create a new session. PHP will populate the $_SESSION superglobal with any session data after the session has started. When PHP shuts down, it will automatically take the contents of the $_SESSION superglobal, serialize it, and send it for storage using the session save handler.

• Sessions can be started manually using the session_start() function. If the session.auto_start directive is set to 1, a session will automatically start on request startup.

• Sessions normally shutdown automatically when PHP is finished executing a script, but can be manually shutdown using the session_write_close() function.

Registering a variable with $_SESSION

<?php

session_start();if (!isset($_SESSION['count'])) 

{  $_SESSION['count'] = 0;} 

else 

{  $_SESSION['count']++;}

?>

Unregistering a variable with $_SESSION

<?php

session_start();

unset($_SESSION['count']);

?>

The session module cannot guarantee that the information you store in a session is only viewed by the user who created the session. You need to take additional measures to actively protect the integrity of the session, depending on the value associated with it.

Assess the importance of the data carried by your sessions and deploy additional protections -- this usually comes at a price, reduced convenience for the user. For example, if you want to protect users from simple social engineering tactics, you need to enable session.use_only_cookies. In that case, cookies must be enabled unconditionally on the user side, or sessions will not work.

SESSION AND SECURITY

There are several ways to leak an existing session id to third parties. A leaked session id enables the third party to access all resources which are associated with a specific id. First, URLs carrying session ids. If you link to an external site, the URL including the session id might be stored in the external site's referrer logs. Second, a more active attacker might listen to your network traffic. If it is not encrypted, session ids will flow in plain text over the network. The solution here is to implement SSL on your server and make it mandatory for users.

Session Functions

• session_cache_expire — Return current cache expire

• session_cache_limiter — Get and/or set the current cache limiter

• session_commit — Alias of session_write_close

• session_decode — Decodes session data from a session encoded string

• session_destroy — Destroys all data registered to a session

• session_encode — Encodes the current session data as a session encoded string

• session_get_cookie_params — Get the session cookie parameters

• session_id — Get and/or set the current session id

• session_is_registered — Find out whether a global variable is registered in a session

• session_module_name — Get and/or set the current session module

• session_name — Get and/or set the current session name

• session_regenerate_id — Update the current session id with a newly generated one

• session_register_shutdown — Session shutdown function

• session_register — Register one or more global variables with the current session

• session_save_path — Get and/or set the current session save path

• session_set_cookie_params — Set the session cookie parameters

• session_set_save_handler — Sets user-level session storage functions

• session_start — Start new or resume existing session

• session_status — Returns the current session status

• session_unregister — Unregister a global variable from the current session

• session_unset — Free all session variables

• session_write_close — Write session data and end session

http://www.apextgi.in

Thank You

Apex TG India

E-20 , Sector 63, Noida

0120 – 4029000/9024/9025/

9027

+91-9953584548

Email id: pratap@apextgi.com

Stay Connected with us for more chapters on PHP