Basic Sessions Example - This look about right?

scrupul0us

I came up with a basic sessions example to work off of and I havent touched it in forever and wanted some feedback on it:

index.php

<?
if(empty($_POST['data']))
{
echo "Give me session data:";
echo "<form action=\"index.php\" method=\"post\">";
echo "<input type=\"text\" name=\"data\" id=\"data\"  />";
echo "<input type=\"submit\" name\"Post\" value=\"Post\"  /></form>";
}
else
{
if (!session_id()) { session_start(); }
$_SESSION["sess_var"]=$_POST['data'];

echo "Session Created: <br  />";
echo "The content of \$sess_var is " . $_SESSION['sess_var'] . "<br  /><a href=\"page2.php\">Next</a>";
}
?>

page2.php

<?
if (!session_id()) { session_start(); }
if (!$_SESSION['sess_var']) { header("Location: index.php"); }
echo "Session Carries Over: <br  />";
echo "The content of \$sess_var is " . $_SESSION['sess_var'] . "<br  />";
?>

<a href="page3.php">Next</a>

page3.php

<?
if (!session_id()) { session_start(); }
if (!$_SESSION['sess_var']) { header("Location: index.php"); }
echo "Session is Unset: <br  />";
unset($_SESSION['sess_var']);
echo "Session is Destroyed: <br  />";
session_destroy();
?>

<a href="index.php">Start Over</a>

does that look about right or is there a better way todo things?

my goal here; at least for this project coming up (shoping cart) is to just have an authed session across the cart pages (or maybe the entire site)

at any rate, any feedback is welcomed 🙂

thanks

troybtj

For a commerce app, I'd suggest encrypting/decrypting the variables between forms so "guts" info isn't tampered with using something like "FormHack" plugin for FireFox which lets you examine/change all the parts of PHPSESSIONID.

bradgrafelman

troybtj: Why would we care if people change PHPSESSIONID? Unless they've hijacked someone else's session ID, they can't touch the actual values in the session (in fact, if they alter the ID, they'll most likely be left without any session data at all).

scrupul0us: Here's some feedback I have:

'<?' and '<?=' should never be used. Period. In fact, short_tags should probably be disabled as well.
Using the ! operator in an if() statement commonly shows laziness. What if their session name was 0? Make sure you're checking for the condition that you want. The manual for [man]session_id/man tells you specifically what will be returned if no session ID was found - check for that value.
```
if (!$_SESSION['sess_var'])
```
Again, a continuation of the above point. The above code is generating an error since it was sloppily written. If you're checking if a variable exists, then do so properly by using [man]isset/man.
After you send a header(), it's a good practice to exit/die. That way, no further code will be processed (meaning PHP doesn't waste CPU time and bandwidth).
It doesn't have much impact in the small abstract example you posted, but note that calling [man]session_destroy/man does not touch the $_SESSION array. In other words, later in your script you can still access the values in the $SESSION array just as if a session still existed, though modifying the $SESSION array won't do you any good (nor will checking for a certain value to verify that they have a session). This is why I common set the $_SESSION variable equal to an empty array when "destroying" sessions (it would be tedious to unset() each variable in the session). Also note the information about the session cookie itself on the manual page for [man]session_destroy/man.

scrupul0us

1) agreed... i hadnt touched this in a while as noted and had to use full tags for it to even process on my server... so marked that as fixed

2) the manual says itll return: the empty string ("")

does that mean i should check if session_id() == "'''"?

when i try todo:

if(empty(session_id()))

it barks back:
Can't use function return value in write context

same error if i try to use

if(!isset(session_id()))

4) noted and change made

5) i like your idea of manually destroying the session variable array

scrupul0us

for easier workings here ive boiled things down a little further:

index.php

<?php

if(session_id() == "")  { session_start(); }

echo "Session Created: ".session_id();
echo "<br/><br/><a href=\"cart.php\">Next</a>";

?>

cart.php

<?php

if(session_id() == "") 
{ 
header("Location: index.php");
exit;
}
else
{
echo "Cart Created: ".session_id();
}
?>

scrupul0us

note that: if(session_id() == "") doesnt throw the errors now, but whenever i hit "Next" it brings me right back to the index page and it generates a new session_id() value... grr

also, could this get moved back to the coding sub-forum since im obviously having coding issues

scrupul0us

ok... i went back to basics and compared my production server php.ini to the one on my jump drive and found that the session domain paths were the same... well the dev server isnt the same so of course the sessions wouldnt handle correctly!

here is my updated code:

index.php

<?php

if(session_id() == "")
{
session_start();
$_SESSION["cart"]=array("0"=>"Test");
}

echo "Session Created: ".htmlentities(session_id());
echo "<br/><br/><a href=\"cart.php\">Next</a>";

?>

cart.php

<?php

if(session_id() == ""){session_start();}

if (!isset($_SESSION['cart'])){header("Location: index.php"); exit;}

echo "Cart Created: ".htmlentities(session_id());
echo "<br/><br/>";
echo "Cart Contents: ".$_SESSION['cart'][0];
echo "<br/><br/>";
echo "<a href=\"index.php\">Back</a> | ";
echo "<a href=\"logout.php\">Logout</a>";

?>

logout.php

<?php
if(session_id() == ""){session_start();}

if (!isset($_SESSION['cart'])){header("Location: index.php"); exit;}

$_SESSION['cart'] = "";
unset($_SESSION['cart']);
echo "Session is Unset: <br/>";

session_destroy();
echo "Session is Destroyed: <br/>";

echo "<a href=\"index.php\">Start Over</a>";

?>

now my only question is... when i get back to "start over" after the session is destroyed... im still presented with the SAME session ID... am i not desotrying the session correctly?

halojoy

Hello

now my only question is...
when i get back to "start over" after the session is destroyed...
im still presented with the SAME session ID...
am i not destroying the session correctly?

To completely remove a SESSION,
is among the most difficult operations in PHP, that you can do.
It would take years and years before you can learn this 'art of magic'.
- I can not do this. Not 100%

Just have a look at posted comments at this page: [man]session_destroy[/man]

You will see there are almost as many ways to erase a session
as there are php programmers!

😃
😃

scrupul0us

good call

this bit:

if (isset($_COOKIE[session_name()])) {
    setcookie(session_name(), '', time()-42000, '/');
}

seems to be the "magic" 🙂