Presentation is loading. Please wait.

Presentation is loading. Please wait.

SessionsPHPApril 2010 : [‹#›] Maintaining State in PHP Part II - Sessions.

Published byGerard Miller Modified over 8 years ago

Similar presentations

Presentation on theme: "SessionsPHPApril 2010 : [‹#›] Maintaining State in PHP Part II - Sessions."— Presentation transcript:

1 SessionsPHPApril 2010 : [‹#›] Maintaining State in PHP Part II - Sessions

2 SessionsPHPApril 2010 : [‹#›] So… CookiesSessions Limited storage spacePractically unlimited space Insecure storage client- side Reasonably securely stored server-side User controlledNo user control

3 SessionsPHPApril 2010 : [‹#›] How do ‘Sessions’ work? They are based on assigning each user a unique number, or session id. Even for extremely heavy use sites, this number can for all practical purposes can be regarded as unique. e.g. 26fe536a534d3c7cde4297abb45e275a

4 SessionsPHPApril 2010 : [‹#›] How do ‘Sessions’ work? This session id is stored in a cookie, or passed in the URL between pages while the user browses. The data to be stored (e.g. name, log-in state, etc.) is stored securely server-side in a PHP superglobal, and referenced using the session id.

5 SessionsPHPApril 2010 : [‹#›] Crucially, sessions are easy to implement as PHP does all the work!

6 SessionsPHPApril 2010 : [‹#›] Starting or Resuming a Session session_start(); PHP does all the work: It looks for a valid session id in the $_COOKIE or $_GET superglobals – if found it initializes the data. If none found, a new session id is created. Note that like setcookie(), this function must be called before any echoed output to browser.

7 SessionsPHPApril 2010 : [‹#›] Starting or Resuming a Session session_start(); When doing anything with sessions, this is always called first!

8 SessionsPHPApril 2010 : [‹#›] Storing Session Data The $_SESSION superglobal array can be used to store any session data. e.g. $_SESSION[‘name’] = $name; $_SESSION[‘age’] = $age;

9 SessionsPHPApril 2010 : [‹#›] Reading Session Data Data is simply read back from the $_SESSION superglobal array. e.g. $name = $_SESSION[‘name’]; $age = $_SESSION[‘age’];

10 SessionsPHPApril 2010 : [‹#›] Session Propagation Sessions need to pass the session id between pages as a user browses to track the session. It can do this in two ways: –Cookie propagation –URL propagation

11 SessionsPHPApril 2010 : [‹#›] Cookie Propagation A cookie is stored on the users PC containing the session id. It is read in whenever session_start(); is called to initialize the session. Default behaviour is a cookie that expires when the browser is closed. Cookie properties can be modified with session_set_cookie_params if required.

12 SessionsPHPApril 2010 : [‹#›] URL Propagation The session id is propagated in the URL (… some_folder/index.php?sid=26fe536a534d3c7cde4297abb45e275a) PHP provides a global constant to append the session id to any internal links, SID. e.g. ">Next page

13 SessionsPHPApril 2010 : [‹#›] Which one..? The default setup of a PHP server is to use both methods. –it checks whether the user has cookies enabled. –If cookies are on, PHP uses cookie propagation. If cookies are off it uses URL propagation.

14 SessionsPHPApril 2010 : [‹#›] And this means..? That as developers, we must be aware that sessions can be propagated through URL, and append the constant SID to any internal links. If sessions are being propagated by cookies, the constant SID is an empty string, so the session id is not passed twice.

15 SessionsPHPApril 2010 : [‹#›] Destroying a Session Often not required, but if we want to destroy a session: // clear all session variables $_SESSION = array(); // delete the session cookie if there is one if (isset($_COOKIE[session_name()])) { setcookie(session_name(),'',time()-42000,'/'); } // destroy session session_destroy(); // avoid reusing the SID by redirecting // back to the same page to regenerate session header('Location: '.$_SERVER['PHP_SELF']);

16 SessionsPHPApril 2010 : [‹#›] Session Expiry By default, PHP sessions expire: –after a certain length of inactivity (default 1440s), the PHP garbage collection processes deletes session variables. Important as most sessions will not be explicitly destroyed. –if propagated by cookies, default is to set a cookie that is destroyed when the browser is closed. –If URL propagated, session id is lost as soon as navigate away from the site.

17 SessionsPHPApril 2010 : [‹#›] Long-term Sessions Although it is possible to customize sessions so that they are maintained after the browser is closed, for most practical purposes PHP sessions can be regarded as short-term. Long-term session data (e.g. ‘remember me’ boxes) is usually maintained by explicitly setting and retrieving cookie data.

18 SessionsPHPApril 2010 : [‹#›] Session Hi-jacking A security issue: if a malicious user manages to get hold of an active session id that is not their own.. e.g. –user 1 browsing site with cookies disabled (URL propagation). –user 1 logs in. –user 1 sends an interesting link to user 2 by email.. The URL copy and pasted contains his session id. –user 2 looks at the link before session id is destroyed, and ‘hijacks’ user 1’s session. –user 2 is now logged in as user 1!!

19 SessionsPHPApril 2010 : [‹#›] … rule of thumb … If you are truly security conscious you should assume that a session propagated by URL may be compromised. Propagation using cookies is more secure, but still not foolproof..

20 SessionsPHPApril 2010 : [‹#›] HOE 14 Using Sessions

Download ppt "SessionsPHPApril 2010 : [‹#›] Maintaining State in PHP Part II - Sessions."

Similar presentations

CookiesPHPMay-2007 : [‹#›] Maintaining State in PHP Part I - Cookies.

CookiesPHPMay-2007 : [‹#›] Maintaining State in PHP Part I - Cookies.
UFCE8V-20-3 Information Systems Development 3 (SHAPE HK)

UFCE8V-20-3 Information Systems Development 3 (SHAPE HK)
Cookies, Sessions. Server Side Includes You can insert the content of one file into another file before the server executes it, with the require() function.

Cookies, Sessions. Server Side Includes You can insert the content of one file into another file before the server executes it, with the require() function.
Chapter 10 Managing State Information Using Sessions.

Chapter 10 Managing State Information Using Sessions.
Chapter 10 Managing State Information PHP Programming with MySQL.

Chapter 10 Managing State Information PHP Programming with MySQL.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Using Session Control in PHP tMyn1 Using Session Control in PHP HTTP is a stateless protocol, which means that the protocol has no built-in way of maintaining.

Using Session Control in PHP tMyn1 Using Session Control in PHP HTTP is a stateless protocol, which means that the protocol has no built-in way of maintaining.
CSE 154 LECTURE 13: SESSIONS. Expiration / persistent cookies setcookie(name, value, expiration); PHP $expireTime = time() + 60*60*24*7; # 1 week.

CSE 154 LECTURE 13: SESSIONS. Expiration / persistent cookies setcookie("name", "value", expiration); PHP $expireTime = time() + 60*60*24*7; # 1 week.
Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting Cookies & Sessions.

Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting Cookies & Sessions.
CHAPTER 12 COOKIES AND SESSIONS. INTRO HTTP is a stateless technology Each page rendered by a browser is unrelated to other pages – even if they are from.

CHAPTER 12 COOKIES AND SESSIONS. INTRO HTTP is a stateless technology Each page rendered by a browser is unrelated to other pages – even if they are from.
CSC 2720 Building Web Applications Cookies, URL-Rewriting, Hidden Fields and Session Management.

CSC 2720 Building Web Applications Cookies, URL-Rewriting, Hidden Fields and Session Management.
Advanced Web Forms with Databases Programming Right from the Start with Visual Basic.NET 1/e 13.

Advanced Web Forms with Databases Programming Right from the Start with Visual Basic.NET 1/e 13.
269200 Web Programming Language Week 7 Dr. Ken Cosh Security, Sessions & Cookies.

Web Programming Language Week 7 Dr. Ken Cosh Security, Sessions & Cookies.
12/3/2012ISC329 Isabelle Bichindaritz1 PHP and MySQL Advanced Features.

12/3/2012ISC329 Isabelle Bichindaritz1 PHP and MySQL Advanced Features.
Week seven CIT 354 Internet II. 2 Objectives Database_Driven User Authentication Using Cookies Session Basics Summary Homework and Project 2.

Week seven CIT 354 Internet II. 2 Objectives Database_Driven User Authentication Using Cookies Session Basics Summary Homework and Project 2.
PHP1-1 PHP Lecture 2 Xingquan (Hill) Zhu

PHP1-1 PHP Lecture 2 Xingquan (Hill) Zhu
Lecture 8 – Cookies & Sessions SFDV3011 – Advanced Web Development 1.

Lecture 8 – Cookies & Sessions SFDV3011 – Advanced Web Development 1.
1 Maryland ColdFusion User Group Session Management 101 11 December 2001 Michael Schuler

1 Maryland ColdFusion User Group Session Management December 2001 Michael Schuler
Nic Shulver, Introduction to Sessions in PHP Sessions What is a session? Example Software Software Organisation The login HTML.

Nic Shulver, Introduction to Sessions in PHP Sessions What is a session? Example Software Software Organisation The login HTML.
PHP Workshop ‹#› PHP Security. PHP Workshop ‹#› Two Golden Rules 1.FILTER external input Obvious.. $_POST, $_COOKIE, etc. Less obvious.. $_SERVER 2.ESCAPE.

PHP Workshop ‹#› PHP Security. PHP Workshop ‹#› Two Golden Rules 1.FILTER external input Obvious.. $_POST, $_COOKIE, etc. Less obvious.. $_SERVER 2.ESCAPE.

Similar presentations

Ads by Google