NYCPHP Meetup

NYPHP.org

[nycphp-talk] Session basics

Michael Sims jellicle at gmail.com
Wed Aug 10 15:26:35 EDT 2005 

On Wednesday 10 August 2005 12:10, Brian O'Connor wrote:

> I have a question about the basics of sessions you listed though - you
> say that you provide the user with a cookie that contains a long string;
> what if they don't allow cookies? are you referring to the session as a
> cookie?

The cookie *is* the provided mechanism for maintaining state.  To me, 
questions about maintaining state when the user has disabled cookies are 
like questions about how to display the color red when the user has pulled 
the red gun out of his monitor.

You can try to maintain state in other ways, such as appending a GET 
variable to every URL.  This is a poor substitute for cookies (and if the 
user is that concerned about tracking, they should manually delete that GET 
variable anyway, thwarting you.)  If you *need* sessions, require cookies.

> And I have a question about my current system:
> As of right now, I create 3 sessions for each user: userID, user, and
> pass (md5 of it, I never directly deal with the user's password). The
> reason I think my current system is poor is because I trust the session,
> and I only check the 'userID' session for authentication. So for
> instance, if the userID is mine (ie, 16), and that userid has access to
> certain areas of the website, I allow it, without any further checks.

I think your terminology is a little confused.  Remember that PHP's built-in 
functions are just one specific way to handle the generic idea of 
state-tracking.  PHP uses a PHPSESSID for its long string.  This is 
"behind-the-scenes" to you - you never explicitly assign it - if you're 
using the built-in functions.  You could create and assign and use your own 
long random string and write your own session-handling code if you wished.

That is, your browser is sending PHPSESSID (not 'userID'), and PHP is 
automagically seeking a session file with that name on disk, and retrieving 
your 'userID' variable from that file, and making it available to the rest 
of the PHP script.  Assuming that PHPSESSIDs are random and long enough to 
be unguessable, this isn't a security flaw.


Michael Sims

More information about the talk mailing list