Deprecated: The each() function is deprecated. This message will be suppressed on further calls in /home/zhenxiangba/zhenxiangba.com/public_html/phproxy-improved-master/index.php on line 456
PHP: session_id - Manual
[go: Go Back, main page]
PHP
downloads | documentation | faq | getting help | mailing lists | reporting bugs | php.net sites | links | conferences | my php.net

search for in the

session_is_registered" width="11" height="7"/> <session_get_cookie_params
Last updated: Wed, 21 Feb 2007

view this page in

session_id

(PHP 4, PHP 5)

session_id — Get and/or set the current session id

Description

string session_id ( [string $id] )

session_id() is used to get or set the session id for the current session.

The constant SID can also be used to retrieve the current name and session id as a string suitable for adding to URLs. See also Session handling.

Parameters

id

If id is specified, it will replace the current session id. session_id() needs to be called before session_start() for that purpose. Depending on the session handler, not all characters are allowed within the session id. For example, the file session handler only allows characters in the range a-z, A-Z and 0-9!

Note: When using session cookies, specifying an id for session_id() will always send a new cookie when session_start() is called, regardless if the current session id is identical to the one being set.

Return Values

session_id() returns the session id for the current session or the empty string ("") if there is no current session (no current session id exists).

See Also

session_regenerate_id()
session_start()
session_set_save_handler()
session.save_handler



add a note add a note User Contributed Notes
session_id
masternico at yahoo dot fr
15-Jan-2007 12:03
in addition to what said "jpjounier at hotmail dot com" it's EXTREMELY important to test if "session_id()" gives a result or not.

If you do not, you take the risk to have a new session starting over with the loss of your session variables.

php.ini can be different on each webserver you'll host your script on.

If you only rely on the behavior of your script on one server, you might have trouble on others.

One VERY important session's option of php.ini is 'session.auto_start' . If setted at 'true', session will then start automaticaly for each page that user will open without the need of using session_start().

The point is that if you have a script like this one:
/*****************
verif_logging.php:
*****************/
<?php
   include('includes/class_user');   
   $login = $_POST['login'];
   $pass = $_POST['pass'];
   if($user->connection($login,$pass){ // user logging validation
       session_start();    //start the session
       $_SESSION['user_logged'] = true// user logged in
       header('location : control_panel.php');  // go to control panel
   }
   else {  // go back to logging page
       header('location : logging.php?' . $user->error_string);
   }
?>

/****************
control_panel.php:
****************/
<?php
   session_start();
   echo $_SESSION['user_logged'];
?>

All will be ok as long as 'session.auto_start ' is at 'false'. Otherwise, you'll have a brand new session created with empty $_SESSION and new SID.

This has been brain breaker for me until I realise that my webserver has 'session.auto_start' at 'true' and that I couldn't change it (some webhost doesn't let user change php.ini options).

So I changed the code this way:
/***************
control_panel.php:
***************/
<?php
   if (session_id() == "") session_start(); // if no active session we start a new one
   echo $_SESSION['user_logged'];
?>

And then everything is ok regardless if 'session.auto_start' is set to 'false' or 'true'.

Furthermore, as said 'risaac at deadletter dot com' (04-Apr-2006 08:46) in a comment on 'session_write_close()', it might be a clever thing to check if the newly activated session has $_SESSION empty or setted with the value you passed by as expected. If empty, then you might have launched a brand new session and surely lost every fromer data unless you know what was the SID (passed by $_GET for example, not recommended but possible).
22-Aug-2006 05:15
In response to simon at quo dot com dot au:

The PHPSESSID is produced using an hash function. By default, it uses MD5 which produces 128 bits long (i.e: 16 bytes long) hashes.
But, since some bytes' values may not be used in the HTTP header, PHP outputs the hash in its hexadecimal representation, thus resulting in a 32 bytes long text.

Starting with  PHP 5.0, you can change the hash function used (by setting "session.hash_function" to whatever function you want to use in php.ini).
You may for example set it to 1 to switch to SHA-1 which produces 160 bits (20 bytes) long hashes.

Please also note that another setting was introduced in PHP 5 (session.hash_bits_per_character) which sort of "compresses" the hash. Thus, resulting in what seems to be a shorter hash.
This feature helps you improve your application's security by producing IDs that are harder to prodict for a malicious attacker.

More information on those settings is provided on:
http://www.php.net/manual/en/ref.session.php
simon at quo dot com dot au
07-Mar-2006 03:15
Length of PHPSESSID appears to be 32 characters by default.
jwhatcher at hotmail dot com
08-Jul-2005 04:21
Killing the session_id when using cookies to store the session_id. Useful when needing to recreate a user with different session information during an open session.

   unset($_COOKIE[session_name()]);
   session_start();
jpjounier at hotmail dot com
23-Jun-2005 08:28
About the note from Cybertinus :

The following test doesn't work, the code following is always executed :

if(!session_id())
{
// Always executed even if there's already an opened session
}

session_id() returns an empty string if there is no current session, so to test if a session already exists, it's better to write this :
if(session_id() == "")
{
session_start();
}
else
{
// Anything you want
}
cbarnes at bfinity dot net
10-May-2005 10:44
Note that Firefox and Mozilla use the same process for launching new windows or tabs, they will pick up the same session id as the previous windows until the parent process dies or is closed. This may cause undesired results if the session id is stored in a db and checked, a solution is to check at the new entry point (new tab or window if the user went back to the index page) for an existing session. If a session id exists and a new one is required use something like:

$ses_id = session_id();
$bsid_exists = false;
$bsid_exists = check_session_id_from_db($ses_id);
 if ($bsid_exists){
 //This is a reentry and the session already exists
 // create a new session ID and start a new
session_regenerate_id();       
$ses_id = session_id();
 }
jeff_zamrzla
11-Feb-2005 08:03
Try this code snippet, from a book by a security expert who says this is more secure to place on every page:

session_start();
$_SESSION['name'] = "YourSession";

if (!isset($_SESSION['initiated']))
{
   session_regenerate_id();
   $_SESSION['initiated'] = true;
}
karlhaines at comcast dot net
31-Oct-2003 10:05
Rewriting URL's is not suggested for obvious security issues. Please be careful with register_globals when using sessions! Check that all information you recieve from a user is valid before accepting it!
Andi, info at pragmaMx dot org
17-Jan-2003 06:13
you can also add the iframe tag:
ini_set("url_rewriter.tags", "a=href,area=href,frame=src,iframe=src,input=src,form=fakeentry");
add a note add a note

session_is_registered" width="11" height="7"/> <session_get_cookie_params
Last updated: Wed, 21 Feb 2007
 
 
show source | credits | sitemap | contact | advertising | mirror sites