Sessions, scope, register_globals - HELP

Anon

I've read my book, the manual, and searched through a couple of forums on here.. still a bit confused..

For the past year I've been developing with ColdFusion. Scopes are great, you get URL.varname, FORM.varname and SESSION.varname. Sessions are all handled transparently. I know what I want to do but am not sure how to do it in PHP...

What I want to do is log the user in and store their ID in a session variable. At the top of every page I want to call a function to see if a valid user is logged in or not.

I started off with register_globals set to off and thought I'd use use $HTTP_SESSION_VARS["varname"] every time. No globals = less clutter. After reading around, it seems that it's not such a good idea so I've left it on.

Every page does require("common.php") to call session_start() and session_register. I think my problem comes with trying to access those session variables within a function (like my CheckUserAuth() function, called on each page). Do I need to do "global $varname" within my function to access those session variables? Can I do "global $HTTP_SESSION_VARS" ?

From the page that validates the login form, I use header("Location:..") to bounce the user to the index page. From my CheckUserAuth function, I use header again to bounce back to the login page if a valid user hasn't logged in. I read somewhere that someone had problems with doing this and using sessions - has anyone else had any problems?

Sorry for the long post but I'm trying to get to grips with variable scope and learning PHP all at the same time.. I could knock this up in ColdFusion in an instant but I want to be a PHP convert!

Thanks in advance
Paul

Anon

Also, I've seen references to passing SID on the URL, but I don't really want to get in to that.. I want PHP to take care of it all for me, automagically, like ColdFusion does.

Cheers
Paul

Anon

Paul, PHP's scoping rules make a little more sense if you know the history. The story is that early versions of PHP treated all variables as global, like primitive programming languages such as BASIC. The obvious danger of this is that any library function is liable to have a variable-namespace collision with the main code (particularly if different people are working on the different components).

One day Rasmus Lerdorf got tired of getting bitten by that shortcoming, and looked for an easy way to fix it. The answer was that functions got their own private namespaces, and could not "see" the global namespace. To allow a function to "see" specific global variables, the "global" keyword was added.

This is not how most programming languages work -- particularly C, which inspired much of PHP's syntax -- but it fixed the problem for Rasmus. The rest of us now have to learn that scoping in PHP is somewhat upside-down and the keyword "global" has a slightly different meaning that what you may be used to.

On your question about transparent session IDs, there are two ways of doing it.

One is to enable transparent SIDs in your server configuration. If that is turned on, PHP will scan all outgoing text for hrefs, and will insert the name=value pair for the session ID on the fly.

Or you can take the more common approach, which is to insert the constant SID (a constant, not a variable, so it does not have a $ sign) manually in any hrefs that you construct.

In both of these situations, PHP will first attempt to use cookies to manage the session identity token. If cookies are successful, the SID constant will be empty and no session ID name=value clutter will appear in the URL (you may, of course, insert other name=value pairs that you might want to propagate outside the session environment). If the user has for any reason disabled or cannot use cookies -- a braindead proxy server, for instance -- the SID constant will be populated and a longer URL will automatically be generated.

Hope this explains it.

Anon

At first glance, all this SID stuff might make it seem that Cold Fusion handles sessions more easily than PHP, but that's not really the case. In fact PHP, like CF, handles cookie-based sessions completely transparently. SID applies if you want to give your site the additional functionality of working without cookies as well. As a newbie, it might be easier to first try out sessions using cookies and add SID after you've got that down.

For more on implementing SID, and sessions in general, check out the annotated manual, http://www.php.net/manual/ref.session.php.

Anon

Thanks Steve - that pretty much confirms what I thought was happening... I've got a handful of variables that I want to be available to my whole application so I've created a "globals.php" which does "global varname" for each one - I can then require("globals.php") in each function that needs to access those variables.

I'll maybe have another play with register_globals as it was definitely causing me problems but I think that might have been related to the SID not being sent. My app is purely internal so I know that the users will always accept cookies - it shouldn't be a problem (famous last words, I know!).

Thanks again
Paul

Anon

Hi Beth

Thinking about it, I think CF is exactly the same as PHP for session handling, I've just never had to cope with the user not having cookies turned on. I remember when doing a <CFLOCATION> call we used to add ADDTOKEN="No" on the end of the tag. This stopped it from appending CFID and CFTOKEN to the URL. I guess these are CF's equivalent of PHP's SID?

I'm getting there now.. starting to look nice and work the way I want it to.. I just needed some confirmation that what I was doing was the right way to do it (or one of the right ways - like Perl programmers say: There's more than one way to skin a cat!).

Thanks again
Paul