session_start()

johnie

Hi. I use sessions on a cart application. I initialize the session on the cart page using session_start(). However when i'm out of that page, i can't read the $_SESSION["CART"].
If i use session_start() in an included file, which is anyway included everywhere in the application, then i can read the var anywhere.

Isn't $_SESSION superglobal?

The problem i have is that due to i'm hosted on a shared environment, the first time someone visits the page, all the links, dynamic and static have the session id passed on like link.php?PHPSESID=xxxxxxxxxxxx
This is bad for the search engines. The rest of the pages don't have the session id.
That is why i tried to have session_start only on the cart page, so that i start it only when it's needed.

Thanks,
John

PHPGuru2

Yes, $SESSION is a superglobal, but unless session_start() is called, you cannot access $SESSION variable. If you would like to avoid session name and id to be embeded in the URL, you can turn off session.trans_id in PHP.INI (from PHP 4.3.0 up, it is off by default).

Even if search engine crawls your site and save a URL that has a session name and ID, I don't think it doesn't matter as long as your script checks required $SESSION variable and depends on the condition, your script can redirect to a right place. (for example, if you have a login protected page, you can check $SESSION['login'] and if it is not set or not set to true, then redirect to login page. etc.)

johnie

So session_start() can't be initiated only once? It needs to be initiated all the time.

My concerns about search engines, is about those that don't crawl dynamic sites. It has nothing to do about security or functinality. If all the links, even static, have an ID attached to them then they are considered dynamic. The ID is attached only on the first page someone visits on the site. From the second page on there isn't any ID.

John

PHPGuru2

Yes, every page requires session_start() in order to use $SESSION globals. If you would like to avoid using it in all pages, then you can set a cookie that holds session name and ID on the client side. In the page where you use session, you can check and see if cookie is set and if $SESSION variable with the session ID matches and exists (not expired), then you can proceed rest of the script and so on.

The reason you are only seeing PHPSESSID=.... in the first page and not from the second page and so on is that the session.trans_id in PHP.INI is enabled and it takes care of passing session name and id from one page to the another invisibly. I'm not 100% for sure, but regardless it is enabled or disabled, I think session is carried to every page within the domain where session is started.