PHP sessions working very well, but something's bugging me…

Question

I've been working with PHP sessions, and everything is working fine it does exactly what I need.

Then I started to look into potential security issues further and found this:

http://phpsec.org/projects/guide/4.html

Notice that all that was being used was to determine existing session or new session 'status' is:

session_start();

...and yet I have seen this sort of thing many times before:

<?php
if (isset($PHPSESSID))
{
    session_start($PHPSESSID);
}else{
    session_start();
};
?>

I had assumed that this would allow some other processing on second call or that it's logic allowed the session to restart with the same session ID for a different page for example.

However I already thought that the plain session_start() already had logic to determine if a session had been established elsewhere because it 'knows' to retain an existing session ID rather than issuing a new one, unless it needs to of course!

So I tested the above and I couldn't get it to work at all.

<?php
if (isset($PHPSESSID))
{
        $oldsession = "On";
        $newsession = "Off";
        session_start($PHPSESSID);
}
    else
{

    session_start();
    $newsession = "On";
    $PHPSESSID = session_id( );

};

            echo 'ClientSessionID : '.$PHPSESSID.'<br>';
            echo 'Refreshed Session : '.$oldsession.'<br>';
            echo 'New Session : '.$newsession.'<br>';      
?>

Either I'm missing something or this code could never have worked. The $oldsession NEVER gets echo'ed even though the session is retained. I conclude that the test on $PHPSESSID never works.

So my question is: Assuming the sample test code is syntactically correct, is it even plausible to attempt to pre-determine the session 'status' BEFORE calling session_start() ? And if so how would you go about it?

As the article goes on to show, using the (assumed) resulting session variables after a session has started is the only way to send the code in a different direction, so I'm thinking this is actually the only way to do it.

Answer 1

Thanks Dae and Wiseguy, you answers gave me the hint I needed although what you didn't mention was the security aspect which was what brought me to the subject.

To put in context the examples I had seen undoubtedly were legacy code from a time when register_globals was switched "on" by default, and obviously had not been updated.

The reason why the code cannot work now is that regsiter_globals has been switched off as a default setting in PHP for security reasons. As of 5.3.0 it has been deprecated and I was working with 5.3.4

The security issue I was looking at was a method to determine the if the user who was using the session was the original user and not someone spoofing their session, and some of the information (IP address) could be available in the header even before you decide to start the session.

But I learn now that the IP address can also be spoofed, and therefore I think that starting the session first and (recovering any previously set session variables) validate after.

As in the original article!

Answer 2

session_start() will reclaim an active session if one exists. You can observe this behaviour with the following snippet:

<?php

session_start();

echo 'Current session ID: ' . session_id();

$_SESSION['previous_id'] = session_id();
session_regenerate_id();

echo '<br />Session ID on next execution: ' . session_id();

if(isset($_SESSION['previous_id'])) 
  echo '<br />Session ID on previous execution: ' . $_SESSION['previous_id'];

?>

Wiseguy said the rest.

Answer 3

Your if(isset($PHPSESSID)) isn't checking what you think it is. I'm not sure of the syntax off hand... but try this:

<?php
if (isset(session_id($PHPSESSID)))
{
        $oldsession = "On";
        $newsession = "Off";
        session_start($PHPSESSID);
}
    else
{

    session_start();
    $newsession = "On";
    $oldsession = "None";
    $PHPSESSID = session_id( );

};

            echo 'ClientSessionID : '.$PHPSESSID.'<br>';
            echo 'Refreshed Session : '.$oldsession.'<br>';
            echo 'New Session : '.$newsession.'<br>';      
?>

I also added a value to $oldsession so that you can see that $PHPSESSID isn't 'set'.

Hope that helps!

Good luck!

Answer 4

It looks like the article was written in early 2005, so perhaps the article was assuming that the register_globals setting was turned on. Earlier in PHP4, it was on by default, but it has been disabled by default in PHP5.

For your code to work, you'd need to explicitly use $_GET['PHPSESSID'] or $_COOKIE['PHPSESSID'], since the global variable $PHPSESSID is probably not set due to register_globals being disabled.

Also, note that the session name won't always be "PHPSESSID." That's default, but it can be changed in the session.name server setting or changed in the code at runtime with session_name().