Tagged: session management

Session Management with PHP, part-4

In this part, we will try to cover for three questions

  1. What are the parameters that can be configured?
  2. Can I change the stored location?
  3. Can I  change how the data is being stored in session

So the answer is quite simple

Although there are multiple settings that can be customized as per the need and all the details about those are present on PHP.NET (http://php.net/manual/en/session.configuration.php).  From there you can also check which setting is allowed at which level (i.e can be set per directory or once in php.ini only)

but few of them is more important to know, that we will discuss here

a) session.save_path : it contains the path where your session files are being stored. It is by default in tmp directory.

it can be changed and can be set to your favorite location but one needs to remember about garbage collection in case.

b) session.name :  The name of the session key, By default it is PHPSESSID .  It can be renamed. be aware in case you are also using session id in URL.

c) session.save_handler :    It is the part where you define where to store the session data. By default, it is the file. so your session data is stored in the file. But you can write on your own scheme to handle session data.  You can store the session data in database or memory using memcache or any in any other format. Just you need to write your own session handler. PHP has a default support to file only. Here are more details on this… (Custom Session handler)

d) session.gc_maxlifetime : The maximum time session is valid for in seconds. By default, it is 1440 seconds or 24 minutes.

If you want to use the Session-Id using HTTP Action or in URLs, However, Cookie related settings also need to configured in order to use this effectively

e) session.use_trans_sid : If you want to use session id in the HTTP Action or you can say in the URL.

f) session.trans_sid_tags : which tag is allowed, where PHP will append Session id automatically before sending the response to the browser. It is generally used with url_rewriter.tags . url_rewriter.tags also must allow that tag to rewrite.

g) session.trans_sid_hosts : you can define any number of hosts where you want to use HTTP Action based Session-Id. it might be that in you want to use session id for a particular HOST only.

Cookie Based Settings

h) session.use_only_cookies  : If you want to only use cookies to maintain the session. If it is set to 1, then PHP will only use the cookie to store the session id without considering use_trans_sid .

i) session.use_cookies :  This setting provides you the option if you want to switch on or off the cookie for the session. So if you have setup the use_only_cookies set to 1 and this is set to 0. then PHP would be unable to set up the Session. So while doing changes in these you must consider the related settings as well.

If you are using cookies then

j) session.use_cookies :  This defines the validity of cookie. By default, it is set to 0 means for lifelong. PHP will not set the expiry time in cookie

k) session.cookie_httponly : This is related to security aspect. Most browsers follow a protocol that states that if this flag is setup while setting up the cookie, then they will not allow the javascript to read the cookie. Otherwise, it might be that some malicious javascript can read your session cookie and can utilize in wrong way.

l)  session.cookie_secure : If it is set to one, the cookie will only transfer when the request will be with HTTPS. That is good to use, but remember, if you allow your site to be accessible on both protocol, HTTP, and HTTPS, and want to access the same cookie over both, then this setting can cause you break the session when you switch from HTTPS to HTTP.

Let’s say you access the dashboard after login using HTTPS. and there is another page that is utilizing session but it can be accessed by HTTP as well. In this case, if this setting is one, session values will not be available on that page.

m) session.cookie_domain : specifies the domain to set the session cookie. The default is none at all meaning the hostname of the server which generated the cookie according to cookies specification.

This is important to consider that Chrome and Firefox consider the www.example.com and example.com as two different domains while Internet Explorer consider that same.So if your site allows the user to access the site with www and non-www, then it might be that it is working perfectly in Internet explorer and it is breaking in Chrome and Firefox when your user switch between www and non-www version of your site.

For that, you can consider this setting or it can be set up by PHP code session_set_cookie_params().

you can use ‘.example.com’ so that www.example.com and example.com is treated as it is one

n) session.cookie_path : By Default, it is ‘/’ . It means for all path for that HOST.

let’s say you have example.com and you just want to setup the login cookie with a path example.com/afterlogin/ then you can set the path here. so the cookie will be only transferable when the following path is on the request.

“cookie_secure, cookie_httponly, cookie_domain and cookie_path both are the settings to configure the cookie parameter that is being stored on your browser and these are related to browser/client which has support for the cookie. it means we are just directing the browser for how to behave with our cookie.”

Session Management with PHP, part-3

In earlier part,

Session Management Part-2

we had many questions, One of them is

1) Is it only possible through cookies, if not then what and how?

By Default “Yes”, but we have other approaches as well.

The only required thing is, to pass the session id back to the server with each request that is made from browser to server to maintain the session between requests.

That can be passed by

By Using HTTP Action
  • By setting get parameter in URL like, http://localhost/test.php?PHPSESSID=ikf5jmfd1r84pd4c181ov5jdd2
    • Pros :
        • Easy to implement
        • Have Native support in PHP that is disabled By Default
        • Works if the client does not support cookies
    • Cons :
        • Not Good from the aspect of Security as session id is open in URL, it can be shared by the user without knowing much about this. Although implementation can be done to make it secure, Not advisable until required.
        • URLs are not clean
  • by sending it along with data using post request, but in that case, each request made to the server must be a post request
      • This is just an alternative way of GET Action,  have the same pros and cons. It needs an implementation
By Header

we can set the custom parameter in the request header of a request.

  • Pros: No dependency on URL and we will have clean URL
  • Cons: Can be set only in XMLHttpRequest, it means, the request is created by you, not by the behavior of Browser. So it may be useful where SOA(service-oriented architecture) is used.

Now, I tell you more about the sending session id in GET request as this is the old and has inbuilt support in PHP.

Although support for this is disabled by default, but it can be enabled by changing below parameters in php.ini

session.use_trans_sid = 1

By Default it is zero.

If it is enabled then PHP can parse the SESSION ID from url request get Parameter

So, now question is how will  be the url look-alike

Your url would be like

http://localhost/test.php?PHPSESSID=ikf5jmfd1r84pd4c181ov5jdd2

now you may have another question, is that key PHPSESSID  is fixed?

No, You can change that by setting in php.ini

session.name = PHPSESSID

Ok, that’s cool.

Now let me test in the browser,

as you test a php page in the browser that is having some anchor tag.

you are checking the source and seeing that there is nothing in href url related to session. ?

So, what the hack?

Actually,  Even you set this, PHP will not make the session id based URL for you.

First it will fall for cookie. So first Off this setting in PHP

session.use_only_cookies = 0

To check that

Either you can turnoff the cookie in the browser OR use this flag in php.ini to turn off the support of session cookie.

session.use_cookies = 10

Now you see that it is working.

Some of you face the issue then please check below setting , It should have the value like this. This value means PHP will only convert the HTML anchor tag  <a href> value with session id by it self.

url_rewriter.tags = “a=href,area=href,frame=src,input=src,form=fakeentry”

For Sample,

I have a page source like this

<?php
session_start();

$_SESSION [‘key1’] = ‘page 1’;

print_r($_SESSION);

?>

<p><a href=”page_2.php”>Page 2</a>
< p><a href=”page_3.php”>Page 3</a>
< p><a href=”page_4.php”>Page 4</a>

<p><form action=”page_5.php”>
< /form>

after above settings, when it rendered on browser, it source code was

trans_sid

You can check php has already converted the url and form to support session id parameter.

There is no extra code required. You can control which html tags should support to rewrite the url by using url_rewriter.tags

You can play with this yourself and check the behavior.

Notes:

  • PHP has support for session id parsing other than cookie but by default that is disabled.
  • You can enable that support by altering php.ini
  • Both medium Cookie and Action can be supported at same time
  • But First, PHP will fallback to Cookie
  • Although, PHP has support for ACTION based Session ID , but that is not advisable.

We will cover other question in next part…..

Read Earlier Parts-