All geek questions in one place

What is the latest, best practice and easiest way to use sessions in PHP?

Sessions in PHP seem to have changed since the last time I used them, so I'm looking for an easy way to use sessions, but at the same time, it’s fairly safe and good with normal practice.

+4
source share
7 answers

Session management changed a while ago (I think it was around 4.4). The old mechanism still works, but is deprecated. This is pretty confusing, so I recommend staying away from it. Today you use sessions by accessing the global variable $ _SESSION (this is an array). You can put object instances there, but you need to load the class definitions for these objects before starting the session on the next page. Using autoload can help you here.

You must start a session before you can use $ _SESSION. Since starting a session sends headers, you cannot have any result before. This can be solved in one of two ways: Either you always start a session at the beginning of your script. Or you buffer the entire output and send it at the end of the script.

One good idea is to regenerate the session for each request. this makes capture much less likely.

This is (slightly) bad advice as it may make the site inaccessible. You must regenerate the session identifier whenever user rights change. In general, this means when you log in. This is necessary to prevent session fixation (session capture form). See this last @Sitepoint thread for more information on this.

Using cookie-based sessions is only okay, but if you regenerate the session identifier when you log in, it does not add extra security and slightly reduces accessibility.

+3
source

As for simplicity, it does not improve:

# Start the session manager session_start(); # Set a var $_SESSION['foo'] = 'whatever'; # Access the var print $_SESSION['foo'];
+2
source

While the database may be more secure for sessions, you should focus on what you store in the session first - in fact, it should not contain anything other than an identifier to identify the user (and MAYBE is the name or temporary variable between pages).

I would suggest just using default cookies. Database sessions give an extra hit ON EACH PAGE, and although not every site is a slashdot, there is no harm in pre-optimizing something as simple as that.

For use, I would recommend a standard global variable:

 $_SESSION['yourvar'] = 'somevalue';

If you use this method in all of your code, you can easily change the source code later using session_set_save_handler , which provides a single way to implement session backends. Note that you can use an object to contain all session processing, just give arrays for each entry array ("Staticclass", "staticmethod").

For deeper use, I would recommend that you take a look at how sessions are handled in KohanaPHP .

+1
source

You can store PHP sessions in a database as described in this book. I used this method and I find it safe and easy to implement, so I recommend it.

0
source

Encapsulate the $ SESSION array in the Session () object, which allows you to receive variables from the session, receive and send using a similar (but non-discriminatory) method, including automatic security filters, flash variables (var, which are used once after that disroyed) and default setters.

Look at the behavior of Symfony at this point, it is very useful.

0
source

Sessions were an important part of my knowledge of PHP because it helped me solve my log authentication problem when I was developing my first web application.

 session_start(); if( isset($_POST['username']) && isset($_POST['password']) ) { if( auth($_POST['username'], $_POST['password']) ) { //Authentication passed $_SESSION['user'] = $_POST['username']; // redirect to required page header( "Location: index.php" ); } else { //Authentication failed redirect to login header( "Location: loginform.html" ); } } else { //Username and Password are required header( "Location: loginform.html" ); }
0
source

First, use cookies only if you don’t have any special business reasons. I had a client who insisted on project-based URL-based sessions. very unsafe and pain for work.

One good idea is to regenerate the session for each request. this makes evasion much less likely. For instance.

 session_start(); $old_sessionid = session_id(); session_regenerate_id(); $new_sessionid = session_id();

Another thing that is good practice is that you do some kind of user login as part of the system, completely invalidate and clear the session data when you log out to ensure that the user is really logged out. I have seen systems where logging out is done only by deleting the session cookie.

-1
source

Source: https://habr.com/ru/post/1276887/

More articles:


All Articles