Web Conference 2005
Writing PHP for ITS/ASET Web services
Using Sessions
|
|
Web Conference 2005Writing PHP for ITS/ASET Web servicesUsing Sessions |
|
| <- Back - Using Cookies | | | Up | | | Security Controls and Practices - Next -> |
When you associate browser supplied data to follow a user's visit to your site, you have created a session and may use it to provide a site experience catered directly to the user.
Typically you use a random, arbitrary value as the session token or session identifier (sid) given to the browser and associate it with all other data pertaining to the user's session in a data store server-side.
This allows you to be sure that the values may not be altered directly by any user, accidentally or maliciously.
Below is an example of session variables and cookie values PHP uses with its built in session management:
| Client Side | Server Side |
| Cookie jar: PHPSESSID = 394m5mgpgl2953b4ab827qnnm0 |
sid = 394m5mgpgl2953b4ab827qnnm0 $_SESSION['variable1']="value1" $_SESSION['variable2']="value2" |
You may create your own session management routines using the techniques discussed above or you may use PHP's built in session support. The following describes how to do it on a PHP server of version 4.0.6 or greater such as php.scripts.psu.edu:
First, place the function session_start(); at the top of your script.
Next, use the $_SESSION[] array to
create, set and query the values of session variables. These
variables will be stored automatically on the server and associated
with a token stored in the PHPSESSID cookie
automatically assigned and given to the browser.
Try the following code (create a new file, copy paste):
<?php
session_start();
?>
<html>
<head>
<style>
div.border { border: solid 1px; }
</style>
</head>
<body>
<h1>Session Value Manager</h1>
<?php
$pageself = basename($_SERVER['PHP_SELF']);
if(isset($_COOKIE['PHPSESSID'])){
echo "<p>PHP has automatically set the cookie PHPSESSID to be = " . htmlspecialchars($_COOKIE['PHPSESSID']) . "</p>\n";
}
?> <ul> <?php
if(count($_SESSION)){
echo "<div class=\"border\">\n";
echo "<p>The following session variables were stored on the server:</p>\n";
foreach ($_SESSION as $var => $value){
echo "<li>\"" . htmlspecialchars($var) . "\" = \"" . htmlspecialchars($value) . "\"\n";
}
echo "</div>\n";
}else{
echo "<div class=\"border\">\n";
echo "<p>No session variables were stored on the server.</p>\n";
echo "</div>\n";
}
if(isset($_REQUEST['add']) and isset($_REQUEST['name']) and isset($_REQUEST['value'])){
$_SESSION[$_REQUEST['name']] = $_REQUEST['value'];
echo "<p>Adding \"" . htmlspecialchars($_REQUEST['name']) . "\" = \"" . htmlspecialchars($_REQUEST['value']) .
"\" to session variable store on the server</p>\n";
}
if(isset($_REQUEST['remove']) and isset($_REQUEST['name'])){
unset($_SESSION[$_REQUEST['name']]);
echo "<p>Removing \"" . htmlspecialchars($_REQUEST['name']) .
"\" from session variable store on the server</p>\n";
}
?>
</ul>
<p>Ask the server to set a new session variable (stored on the server):</p>
<form method=GET action="<?=$pageself?>">
<p><b>Add session variable</b> name: <input type=text name=name>,
value: <input type=text name=value>, <input type=submit name=add value=Add><br>
</form>
<form method=GET action="<?=$pageself?>">
<b>Remove session variable</b> name: <input type=text name=name>,
<input type=submit name=remove value=Remove></p>
</form>
<form method=POST action="<?=$pageself?>">
<p><input type=submit value=Reload></p>
</form>
</body>
</html>
You may name this file session_manager.php
Many authentication systems, including Penn State WebAccess, use a form of session management based on cookies. They will use it to tie the various HTTP page requests of a particular browser to a form of authentication, such as a username and password CGI parameter pair, performed at the beginning of the session. While some may choose to use PHP's session management, not all will.
| <- Back - Using Cookies | | | Up | | | Security Controls and Practices - Next -> |
|
If you have any questions, feel free to ask me. Content by: Jeff D'Angelo <jcd@psu.edu> © 2005 Last update on: Mon Jun 29, 2009, 9:40:32 AM |
|