is it possible to access session data without session_start() ?

evaldas

I've been tryng to do some session data checking on pages, to see if they aren't accessed from computer other than initiated session. Page entering script stores 2 variables (REMOTE_ADDR and HTTP_USER_AGENT) in $SESSION['details'] array. Here's code snippet which checks if session identifier was not hijacked.

	if (isset($_REQUEST['PHPSESSID'])) {
		session_start();
		if ($_SESSION['details'] !== array($_SERVER['REMOTE_ADDR'], $_SERVER['HTTP_USER_AGENT'])) {
			setcookie('PHPSESSID', session_id(), 1, '/'); // deleting cookie
			header('Location: /invalid.php');
		}
	}

The thing I don't like here is that if there was a bogus indentifier, session_start() will send to browser one cookie, and immediately after that, setcookie() will send one more deleting cookie, for example:

Set-Cookie: SID=f9862a45b346acbb92f3d381beecd02b; path=/
Set-Cookie: SID=f9862a45b346acbb92f3d381beecd02b; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/

Maybe there's a way to access session data without session_start() so those double cookies can be avoided? I would like to send only one cookie: deleting cookie.

konrad

You can access serialized data directly from files it is stored in (in most cases '/tmp/sess_'.session_id()), or define your own session handling functions to store session data in DB - try this tutorial.

evaldas

thank you, konrad.