Why does the PHP Manual give this Caution for session_register() ?:

"If you are using $HTTP_SESSION_VARS/$_SESSION, do not use session_register(), session_is_registered() and session_unregister(). "

Don't you have to use session_register() to register a session variable, and $HTTP_SESSION_VARS to retrieve the variable from the session?

Thanks,

Ed

    To make your task easier.

    just call this
    $HTTP_SESSION_VARS['var'] = "ABC";

    PHP will check whether its exist or not, if not, then PHP will register it for you.

      I am aware that you can use $HTTPS_SESSION_VARS as an alternative, but do you know why the manual recommends not using session_register()?

      Ed

        session_register('varname') creates a global variable called $varname, that's supposed to contain the sessioned value of that variable.

        It's equivalent to $varname = &$_SESSION['varname']. Or at least, that was the idea - it was buggy until 4.3.

        If you look through some of the posts on this forums about sessions, you'll find that a lot of them are caused by people giving $varname a value, then using session_register('varname'), and wondering why $varname has lost the value they just gave it.

        The extra assignment ($varname = &$_SESSION['varname']) means more work, means that it's harder to see in the code which variables are session variables and which aren't. Basically, it's a matter of treating session variables in some weird abnormal way when they could just as easily be handled the same way as any other variable.

        In other words, not using session_register() is faster and simpler.

        start a session;
        session_start();

        Use a session variable
        $thing = $_SESSION['varname'];

        Set a session variable
        $_SESSION['varname'] = $thing;

        Clear a session variable
        $_SESSION['varname'] = null;

        I see also in the manual that it states:

        Caution

        If you want your script to work regardless of register_globals, you need to use the $SESSION array. All $SESSION entries are automatically registered. If your script uses session_register(), it will not work in environments where register_globals is disabled.

        Not that I entirely understand this, but then, I always work with register_globals off and $_SESSION[] anyway.

        I could turn your question around: what advantages are there to session_register()?

          Thanks. That helps with my thinking.

          I was thinking more with vulnerability. Are there any security issues with using session_register(), or is it safer to use $_SESSION to create session variables?

          Can someone post via URL a variable that could be placed into a session that could give them access to someone elses session.

          In my own script for finding a session value, I have try to build a safety precaution by seeing if anyone posts the session variable I am looking for in the via GET or POST. If they are tying to post that variable, I kick them out.

          In the example below, since I never POST the "user_id" via URL or a POST, I know something is wrong.

          EXAMPLE:

          function find_session() {

          global $HTTP_SESSION_VARS;
          global $HTTP_POST_VARS;
          global $HTTP_GET_VARS;

          if ( isset($HTTP_POST_VARS['user_id']) || isset($HTTP_GET_VARS['user_id'])) {
          echo "<HTML><HEAD><TITLE>Error</TITLE></HEAD><BODY>Error</BODY></HTML>";
          exit;
          }

          if ( isset($HTTP_SESSION_VARS['user_id']) ) {
          return $HTTP_SESSION_VARS['user_id'];
          }
          else {
          $user_id = '';
          echo "<html><head><title>Sorry, You Must Be Logged In</title><body>";
          echo "Sorry, but you must be logged in to access this page.<p>To log in to your account, <a href='login.php'>click here</a>.";
          echo "</body></html>";
          exit;
          }
          }

          ============================

          Ed

            Write a Reply...