PHP Sessions: Part 2

Building off the previous part, I will now see what’s going on under the hood when a session is started.

One of the things I needed to figure out is what this means:

PHP is capable of transforming links transparently. Unless you are using PHP 4.2.0 or later, you need to enable it manually when building PHP. Under Unix, pass –enable-trans-sid to configure. If this build option and the run-time option session.use_trans_sid are enabled, relative URIs will be changed to contain the session id automatically.

I searched Google, and couldn’t find a clear explanation of what “transforming links transparently” means. Nor could I find what “Transparent SID Support” means.

Transparent SID Support simply means that when this is enabled, there is no need to pass the SID in your links manually. PHP will do it for you.

So let’s see what this SID variable is all about.

First, I’ve added code to display the PHP constant “SID”. According to the manual this variable will either be a blank string, or a string having the form “session_name=session_id”. (session_name is defined in the php.ini file)

The output of this code is interesting. The first time I ran it, there appeared to be no output for SID:

I suspected that there might be a cookie involved at this point, so I took a look and found this:

PHP SID cookie

So, the next thing I did was to remove that cookie, and refresh the browser. When I did, I saw this:

Now SID is outputting the session ID. So the lack of a cookie means that SID jumps into action.

Note that the session id’s are different. This makes sense. If you clear your cookies, you lose your session. If your cookies are disabled, SID will be there as a replacement. Note however that passing the SID in the URL can leave you more vulnerable to XSS related attacks.

Next, I refreshed my browser page again, and when I did, the SID output went away, and the cookie reappeared. As expected, the cookie value was the same as the SID from the previous refresh, indicating that PHP has successfully set a cookie, and will now manage the session in that manner, as long as I don’t delete it or disable cookies.

Transparent SID Support is disabled in newer versions of PHP by default because it’s not a good idea to pass the session in the URL string. Basically, if you are using sessions, you should require cookies if you want to be as secure as you can.



PHP Sessions: Part 1

It’s time to learn about sessions in PHP.

Here is some basic code to start a session, and display the resulting $_SESSION superglobal:

The resulting output:

To prove that it’s working, simply comment out the session_start() call:

Which results in:

So now I know how to turn sessions on. Next, I need to understand a little more about how sessions work.