session

add a note User Contributed Notes

22-Aug-2006 04:15


In response to simon at quo dot com dot au:



The PHPSESSID is produced using an hash function. By default, it uses MD5 which produces 128 bits long (i.e: 16 bytes long) hashes.

But, since some bytes' values may not be used in the HTTP header, PHP outputs the hash in its hexadecimal representation, thus resulting in a 32 bytes long text.



Starting with  PHP 5.0, you can change the hash function used (by setting "session.hash_function" to whatever function you want to use in php.ini).

You may for example set it to 1 to switch to SHA-1 which produces 160 bits (20 bytes) long hashes.



Please also note that another setting was introduced in PHP 5 (session.hash_bits_per_character) which sort of "compresses" the hash. Thus, resulting in what seems to be a shorter hash.

This feature helps you improve your application's security by producing IDs that are harder to prodict for a malicious attacker.



More information on those settings is provided on:

http://www.php.net/manual/en/ref.session.php

simon at quo dot com dot au
07-Mar-2006 02:15


Length of PHPSESSID appears to be 32 characters by default.

jwhatcher at hotmail dot com
08-Jul-2005 03:21


Killing the session_id when using cookies to store the session_id. Useful when needing to recreate a user with different session information during an open session.



    unset($_COOKIE[session_name()]);

    session_start();

jpjounier at hotmail dot com
23-Jun-2005 07:28


About the note from Cybertinus : 





The following test doesn't work, the code following is always executed :





if(!session_id())


{


// Always executed even if there's already an opened session


}





session_id() returns an empty string if there is no current session, so to test if a session already exists, it's better to write this :


if(session_id() == "")


{


session_start();


}


else


{


// Anything you want


}

cbarnes at bfinity dot net
10-May-2005 09:44


Note that Firefox and Mozilla use the same process for launching new windows or tabs, they will pick up the same session id as the previous windows until the parent process dies or is closed. This may cause undesired results if the session id is stored in a db and checked, a solution is to check at the new entry point (new tab or window if the user went back to the index page) for an existing session. If a session id exists and a new one is required use something like:



$ses_id = session_id();

$bsid_exists = false;

$bsid_exists = check_session_id_from_db($ses_id);

 if ($bsid_exists){

 //This is a reentry and the session already exists

 // create a new session ID and start a new

session_regenerate_id();         

$ses_id = session_id();

 }

jeff_zamrzla
11-Feb-2005 07:03


Try this code snippet, from a book by a security expert who says this is more secure to place on every page:



session_start();

$_SESSION['name'] = "YourSession"; 



if (!isset($_SESSION['initiated']))

{

    session_regenerate_id();

    $_SESSION['initiated'] = true;

}

karlhaines at comcast dot net
31-Oct-2003 09:05


Rewriting URL's is not suggested for obvious security issues. Please be careful with register_globals when using sessions! Check that all information you recieve from a user is valid before accepting it!

Andi, info at pragmaMx dot org
17-Jan-2003 05:13


you can also add the iframe tag:

ini_set("url_rewriter.tags", "a=href,area=href,frame=src,iframe=src,input=src,form=fakeentry");

add a note

session_id

说明

参数

返回值

参见