tags:

views:

420

answers:

6

Sessions in PHP seemed to have changed since the last time I used them, so I'm looking for a simple way of using sessions but at the same time for it to be relatively secure and a good common practice.

A: 

First off, use cookie based only unless you have a very specific good business reason not to. I had a client that insisted on url based sessions only for a project. very insecure and a pain to work with.

One good idea is to regenerate the session on each request. this makes hijack much less likely. For example.

session_start();
$old_sessionid = session_id();
session_regenerate_id();
$new_sessionid = session_id();

Another thing that is good practice is if you are doing some kind of user login as part of the system, completely invalidate and empty the session data on a logout to insure that the user is truly logged out of the system. I have seen systems where logout is just accomplished by removing the session cookie.

Laith
+2  A: 

As far as simplicity, it doesn't get any better than:

# Start the session manager
session_start(); 

# Set a var
$_SESSION['foo'] = 'whatever';

# Access the var
print $_SESSION['foo'];
dittonamed
A: 

You can store PHP sessions in database, as described in this book. I have used this method and I find it secure and easy to implement, so I would reccomend it.

Oko
+3  A: 

Session management changed some time back (I think it was around 4.4). The old mechanism still works, but is deprecated. It's rather confusing, so I recommend staying clear of it. Today, you use sessions by accessing the global variable $_SESSION (It's an array). You can put object instances in there, but you need to load the class definitions for those objects before starting the session on the next page. Using autoload can help you out here.

You must start a session before you can use $_SESSION. Since starting the session sends headers, you can't have any output before. This can be solved in one of two ways: Either you always begin the session at the start of your script. Or you buffer all output, and send it out at the end of the script.

One good idea is to regenerate the session on each request. this makes hijack much less likely.

That's (slightly) bad advice, since it can make the site inaccessible. You should regenerate the session-id whenever a users privileges changes though. In general that means, whenever they log in. This is to prevent session-fixation (A form of session-hijacking). See this recent thread @ Sitepoint for more on the subject.

Using cookiebased sessions only is OK, but if you regenerate session id's on login, it doesn't add any additional security, and it lowers accessibility a bit.

troelskn
I have gone over to that sitepoint forum and taken a look. from what I can see they actually seem to recommend id regeneration as well as using cookie only overall.
Laith
Look closely. Regenerate session-id's yes, but *only* when you need to. That means when the user logs in.
troelskn
not everyone in the thread agrees with that stance
Laith
+1  A: 

While database might be more secure for sessions, you should focus on what you're storing in the session in the first place - it should not really contain anything but an ID to identify the user (and MAYBE a firstname or a temporary variable between pages).

I would suggest simply using the default, cookies. Database sessions give an extra hit ON EVERY PAGE, and even though not every site is slashdot, there's no harm in pre-optimizing something as simple as this.

For usage, I would recommend the standard global variable:

$_SESSION['yourvar'] = 'somevalue';

If you use that method in all your code, you can easily change the back-end later through the use of session_set_save_handler, which gives a unified way of implementing session backends. Note that you can use an object to contain all the session handling, simply give arrays to each entry - array('Staticclass', 'staticmethod').

For more in-depth usage, I would recommend you take a look at how sessions are handled in KohanaPHP.

Christian P.
A: 

Encapsulate the $SESSION array in a Session() Object that allows you to get variables from session, get, and post with a similar (yet dissociable) way, including automatic security filters, flash variables (var that are used once then distroyed), and default value setters.

Have a look to the behaviour of Symfony on that point, it´s very helpful.

e-satis