Can I Get A Refund?

Sessions in PHP seemed to have changed since the last time I used them, so I’m looking for a simple way of using sessions but at the same time for it to be relatively secure and a good common practice.

2 ANSWERS

February 16, 2017 at 10:16 am admin

You can store PHP sessions in database, as described in this book. I have used this method and I find it secure and easy to implement, so I would reccomend it.

February 16, 2017 at 10:16 am admin

Session management changed some time back (I think it was around 4.4). The old mechanism still works, but is deprecated. It’s rather confusing, so I recommend staying clear of it. Today, you use sessions by accessing the global variable $_SESSION (It’s an array). You can put object instances in there, but you need to load the class definitions for those objects before starting the session on the next page. Using autoload can help you out here.

You must start a session before you can use $_SESSION. Since starting the session sends headers, you can’t have any output before. This can be solved in one of two ways: Either you always begin the session at the start of your script. Or you buffer all output, and send it out at the end of the script.

One good idea is to regenerate the session on each request. this makes hijack much less likely.
That’s (slightly) bad advice, since it can make the site inaccessible. You should regenerate the session-id whenever a users privileges changes though. In general that means, whenever they log in. This is to prevent session-fixation (A form of session-hijacking). See this recent thread @ Sitepoint for more on the subject.

Using cookiebased sessions only is OK, but if you regenerate session id’s on login, it doesn’t add any additional security, and it lowers accessibility a bit.

Viewing 2 replies - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.