session-php-idpassing-0

  • Examples
  • Passing the Session ID

  • Passing the Session ID
  • Passing the Session ID

    Passing the Session ID

    There are two methods to propagate a session
    id:

    • Cookies
    • URL
      parameter

    The session module supports both methods. Cookies
    are optimal, but because they are not always available, we also
    provide an alternative way. The second method embeds the session id
    directly into URLs.

    PHP is capable of transforming links transparently.
    If the run-time option session.use_trans_sid is enabled,
    relative URIs will be changed to contain the session id
    automatically.

    Note:

    The arg_separator.output php.ini
    directive allows to customize the argument separator. For full
    XHTML conformance, specify & there.

    Alternatively, you can use the constant
    SID which is defined if the session
    started. If the client did not send an appropriate session cookie,
    it has the form session_name=session_id. Otherwise, it
    expands to an empty string. Thus, you can embed it unconditionally
    into URLs.

    The following example demonstrates how to register
    a variable, and how to link correctly to another page using
    SID.

    Example #1 Counting the number of hits of a single
    user

    <?php

    session_start();

    if (empty($_SESSION['count'])) {
       
    $_SESSION['count'] = 1;
    } else {
       
    $_SESSION['count']++;
    }
    ?>

    <p>
    Hello visitor, you have seen this page <?php echo $_SESSION['count']; ?> times.
    </p>

    <p>
    To continue, <a href="nextpage.php?<?php echo htmlspecialchars(SID); ?>">click
    here</a>.
    </p>

    The htmlspecialchars() may be used when printing
    the SID in order to prevent XSS
    related attacks.

    Printing the SID,
    like shown above, is not necessary if –enable-trans-sid was used to compile PHP.

    Note:

    Non-relative URLs are assumed to point to external
    sites and hence don’t append the SID,
    as it would be a security risk to leak the
    SID to a different server.