will session survive if i visit another site?

sneakyimp

i'm using the super basic, out-of-the-box php session functionality. I call session_start() and then when someone logs in i set $_session['var'] to indicate the user is logged in.

If I redirect a user to a different site (e.g., paypal) which then redirects them back to my site, will the session still be alive? It seems to work sometimes on my computer and better for firefox than for IE but I'm wondering about the general case.

My php is configured with trans-sid enabled. There are a whole bunch of session-related options in the php config which probably have some impact in this. like:

session.referer_check
session.use_trans_sid
session.cookie_lifetime
session.cache_expire

etc. I'm not even sure how to set those. they in php.ini?

Weedpacket

Yes, those are in php.ini, along with notes about what they do.

Will the session remain active?

If the user's browser is storing the session ID in a session cookie, then yes; the browser will retain that cookie until it is shut down. (If the user spends too long on the other site, then your site's server might figure that the user has left and expire its copy of the session ID, and subsequently garbage-collect the data.)

If the session ID is being passed by URL, then no. The session ID is not embedded into off-site links (for obvious security reasons), and the other site certainly won't embed it into URLs leading back to your site.

sneakyimp

Thanks, weedpacket.

I kinda thought the cookies might retain the session through a visit to another site. I'll read the INI file notes.

I've also read some nasty things about trans-sid and search engines. yech. see here:
http://www.mtdev.com/2002/06/why-you-should-disable-phps-session-use_trans_sid/

Is there any reliable way to determine if the server is propagating session ids thru URL or not?

Weedpacket

If memory serves, if the SID is propagating through the URL it is available as a $GET[] element; if not I'm pretty sure it's among the $SERVER variables as part of the Request-URI.

But if you're concerned, you can turn that off completely with session.use_only_cookies=On. And if you turn trans-SID off, then the only way it can get in is if you put it in there manually.

MarkR

Session cookies should last as long as they're supposed to last, regardless of what other sites you visit.

BUT if you don't canonicalise your URLs, they may belong to a different site. http://www.example.com/ and http://example.com/ ARE DIFFERENT SITES for purposes of resolving cookies.

Ensure that your site is accessible through exactly one URL - if you have other domains you want to use, set up redirects on those instead.

Mark

sneakyimp

alrighty here...from the PHP.ini

; Whether to use cookies.
session.use_cookies = 1

; This option enables administrators to make their users invulnerable to
; attacks which involve passing session ids in URLs; defaults to 0.
; session.use_only_cookies = 1

; Name of the session (used as cookie name).
session.name = PHPSESSID

I'm wondering if $_GET['PHPSESSID'] will contain my session id if cookies are off? Maybe I'll try an experiment.

; Lifetime in seconds of cookie or, if 0, until browser is restarted.
session.cookie_lifetime = 0

What exactly does that comment mean? I'm guessing that the cookie will expire immediately if you close your browser. With regard to MarkR's comment, this probably determines how long the session would last if I were to close my browser?

As for the session expiring, I've noticed that certain sites (like most of my online mail sites) will timeout after a few minutes. In that case, the cookie is probably still there and valid but the server has determined that the session belonging to that cookie is old and therefore expired.

I've noticed that when firefox is running, ALL windows share all sessions--or at least that's how it seems to me. IE is a little different. All child windows of a particular session share that session where as parent or 'cousin' windows do not.

For anyone who is curious...

; PHP 4.2 and less have an undocumented feature/bug that allows you to
; to initialize a session variable in the global scope, albeit register_globals
; is disabled.  PHP 4.3 and later will warn you, if this feature is used.
; You can disable the feature and the warning separately. At this time,
; the warning is only displayed, if bug_compat_42 is enabled.

session.bug_compat_42 = 0
session.bug_compat_warn = 1

This is pretty interesting...sadly, referer is set by the user's browser and so this is probably not such a helpful thing to turn on. It would definitely break a session if users were directed to a payment site and then returned.

; HTTP_REFERER has to contain this substring for the session to be
; considered as valid.
session.referer_check =

I have no idea what this doing. Can anyone tell me?

; Set to {nocache,private,public,} to determine HTTP caching aspects
; or leave this empty to avoid sending anti-caching headers.
session.cache_limiter = nocache

I'm guessing this one means that if i leave my browser open for up to three hours then the session will still be valid, right? Is there anyway to reduce this value at run time?

; Document expires after n minutes.
session.cache_expire = 180

And here's the big one. More dangerous than I thought.

; trans sid support is disabled by default.
; Use of trans sid may risk your users security.
; Use this option with caution.
; - User may send URL contains active session ID
;   to other person via. email/irc/etc.
; - URL that contains active session ID may be stored
;   in publically accessible computer.
; - User may access your site with the same session ID
;   always using URL stored in browser's history or bookmarks.
session.use_trans_sid = 0

I know that PHPBB has gobs of custom session handling code and that each and every URL in the project is modified to append the session id by a single function. I've also seen how all session data is stored in a database rather than using the files approach which is the PHP default. Is writing your own session management code the only way to affect how long a session remains valid if the user keeps their browser open?

And thanks, MarkR for the comment on canonicalising URLs. What does that word mean exactly? I think i kinda know...i have a single file i include throughout my application that could redirect everyone who goes to mydomain.com to www.mydomain.com instead (or vice versa). Any advice on how to affect this? Is it better with or without www?

XPertMailer

If the session id is set on cookie and the browser will keep this cookie then it's no problem, session will be there 🙂