using sessions questions

techlover

Ok, I am getting into using sessions more because it seems like the best way to pass data around.

My setup now has register globals OFF.

I have a page with this:
<?
session_start();
session_register('something');
session_register('something2');
?>

something and something 2 came in via get or post.

I get this notice:

Your script possibly relies on a session side-effect which existed until PHP 4.2.3. Please be advised that the session extension does not consider global variables as a source of data, unless register_globals is enabled.

So my question is how do I use sessions now?

Is having register globals on really that big of a security bug to warrant all the extra work?

Thanks!

maniac1aw

your just missing a step

<? 
session_start(); 

$something=$HTTP_POST_VARS["something"];
$something=$HTTP_POST_VARS["something2"];
session_register('something'); 
session_register('something2'); 

//output them
echo $something=$HTTP_SESSION_VARS["something"];
echo $something=$HTTP_SESSION_VARS["something2"];
?>

as far as register_globals being a security hazard, you could still use register_globals but grab important data from the various arrays like $HTTP_SESSION_VARS but it is much easier to create a security hazard for yourself, where with them off you are forced to do the right thing. Personally I have them off, I do run this code if I want them on in a particular script

<?
	### register_globals = off ### +++
	//HTTP_GET_VARS
	while (list($key, $val) = @each($HTTP_GET_VARS)) {
	       $GLOBALS[$key] = $val;
	}
	//HTTP_POST_VARS
	while (list($key, $val) = @each($HTTP_POST_VARS)) {
	       $GLOBALS[$key] = $val;
	}
	//HTTP_POST_FILES
	while (list($key, $val) = @each($HTTP_POST_FILES)) {
	       $GLOBALS[$key] = $val;
	}
	//$HTTP_SESSION_VARS
	while (list($key, $val) = @each($HTTP_SESSION_VARS)) {
	       $GLOBALS[$key] = $val;
	}
### register_globals = off ### ---
?>

that will register globals for you. I find it useful to do post/get vars and normally I leave the session/misc private and access them through the arrays.

ajmoore

With register_globals turned off, the only real difference is instead of registering a session with session_register("varname") you would register it like so: $_SESSION["varname"] = "data";

for example:

session_start();
$_SESSION["variable"] = "some data";

then to access that on a subsequent page:

session_start();
echo $_SESSION["variable"];
[code=php]
your output would be "some data".
There is no longer any need to use session_register at all.