PHP Sessions
Nov/082
So a little about PHP Sessions. I’ll talk briefly about how they persist, how long they persist, how to add variables and how to destroy/unset variables. As stated on the php.net website
Session support in PHP consists of a way to preserve certain data across subsequent accesses. This enables you to build more customized applications and increase the appeal of your web site.
Well, as helpful as that definition is, the whole idea behind sessions is that they can persist beyond a single page request.This allows us to maintain data longer than a single request. This is beneficial to maintain login information/credentials, preserving error messages during redirects, etc. Sessions, by default persist for 24 minutes (1440 seconds).This timeout can be overridden by setting the gc_maxlifetime ini variable as follows:
ini_set(’session.gc_maxlifetime’,n); // n in this example is the number of seconds before timeout.
For the purposes of this tutorial/example, I’ll primarily explain using login/user management as the example. When a site visitor logs into a website, it’s important that we recall who they are as well as what they should have access to. To persist a session variable, the following line of code must appear before any output on the page. If you have a space or any other output on the page prior to the session variable being set, you will see the following error:
Cannot send session cookie. Headers already sent.
This error indicates that the browser has already been provided content. This could be white-space or the output of some content. In order for content to be sent, the headers have to be closed. If the headers are closed, nothing more can be added to them. Including session data. OK, enough of the warning/lecture. Here’s the nitty gritty.
<?php
session_start();
?>
The session start() function must be located on every page to carry the session variables. The easiest way I’ve found to do this is by adding an include to every page. This include should have only php code and all of your variables that are needed globally can be added to this file. This prevents you from having to type the same code on multiple pages.
Now that the session exists, you can add data to the $_SESSION variable to persist until the session dies. Setting session variables is actually quite simple:
$_SESSION['username'] = ’shaun’;
While this example works in the context I have used it, it’s not necessarily the most secure or efficient way to do store variables. I typically suggest streamlining it a bit more. By this I mean organizing the session better. Take a look at this example:
$_SESSION['user']['username'] = ’shaun’;
$_SESSION['user']['user_level'] = ‘administrator’;
That is a more efficient way of organizing your data, feel free to branch it out as far as you need to. This allows you more flexibility and makes the code easier to read. You can keep adding variables to the session while keeping all of the user data in a clean organized variable.
I always suggest against storing user data in sessions. Rather, I would encourage the use of storing a record ID and validating the data against your database server to keep your data and website secure. This prevents users from manipulating your code to update the variables and gaining access to your database records.
I hope this proves to be helpful and if you have any questions, feel free to leave a comment.
Leave a comment
No trackbacks yet.
5:26 pm on November 12th, 2008
Shaun I have a unique project I am working on. Don’t worry no graphics involved. Anyway do you know if there is a way to share sessions between a PHP application and a Coldfusion one?
Maybe share isn’t exactly the word I am looking for. Perhaps a better way would be to create the same sessions both in PHP and Coldfusion. Any ideas?
The breakdown is that I have a project in which a huge website was built in Coldfusion and now they want to add a PHPBB3 Forum to this site and share the user login information. So basically a person with an existing account should be able to login at the coldfusion app and not have to login a second time when they reach the forums.
I think that made sense. Thanks!
2:27 pm on November 21st, 2008
This can be a bit difficult to accomplish when using various frameworks without exposing yourself to vulnerabilities. There are a couple ways you can do this. You can have an ajax request within the browser start a session on the other site at the same time the user logs in. This is blatantly visible, so for this to be secure, you should probably do a server side post with an ip address after the ajax post to verify the session. Once it’s established, store a cookie for both sites with the login id.
To overview, the user logs in, if correct, the server performs a post to authenticate the ip address and the signed in username. Then you do a browser ajax request to the second site to create a cookie. When all is said and done, you will have 2 websites, each with a cookie.
You’ll have to make sure your session/cookie timeout is set the same on both servers and if you provide the user with the ability to log out, you’d need to reverse this process to delete the cookies.