Passing the Session ID
Passing the Session ID
Passing the Session ID
There are two methods to propagate a session
id:
- Cookies
- URL
parameter
The session module supports both methods. Cookies
are optimal, but because they are not always available, we also
provide an alternative way. The second method embeds the session id
directly into URLs.
PHP is capable of transforming links transparently.
If the run-time option session.use_trans_sid is enabled,
relative URIs will be changed to contain the session id
automatically.
Note:
The arg_separator.output php.ini
directive allows to customize the argument separator. For full
XHTML conformance, specify & there.
Alternatively, you can use the constant
SID
which is defined if the session
started. If the client did not send an appropriate session cookie,
it has the form session_name=session_id. Otherwise, it
expands to an empty string. Thus, you can embed it unconditionally
into URLs.
The following example demonstrates how to register
a variable, and how to link correctly to another page using
SID
.
Example #1 Counting the number of hits of a single
user
<?php
session_start
();
if (empty(
$_SESSION['count'])) {
$_SESSION['count'] = 1;
} else {
$_SESSION['count']++;
}
?>
<p>
Hello visitor, you have seen this page <?php echo $_SESSION['count']; ?> times.
</p>
<p>
To continue, <a href="nextpage.php?<?php echo htmlspecialchars(SID); ?>">click
here</a>.
</p>
The htmlspecialchars() may be used when printing
the SID
in order to prevent XSS
related attacks.
Printing the SID
,
like shown above, is not necessary if –enable-trans-sid was used to compile PHP.
Note:
Non-relative URLs are assumed to point to external
sites and hence don’t append theSID
,
as it would be a security risk to leak the
SID
to a different server.