开发者

How is my session variable defined on a remote page? Just curious for background knowledge

Hey guys, one more quick question for any experts out there. I have a form that is submitted via jquery ajax, works perfectly (I tested), and uses a form token (I set a session variable and pass through form and check that the token is equal to the posted token to prevent csrf attacks, see below...). My question is that I defined my session variable on the form page and used php session_start() on the validation page, but I am not sure how $_SESSION['token'] is still defined if I am not actually posting to that page or physically accessing that page with my browser (I am sending an ajax call). How $_SESSI开发者_Go百科ON['token'] be defined on a remote page?

Ex. set variable

if (!isset($_SESSION['token']) and $session->logged_in)
{
$_SESSION['token'] = md5(uniqid(rand(), TRUE));
}
$token =$_SESSION['token'];

pass token through form in hidden input, then check

if ($_POST['token'] == $_SESSION['token']){


The session_id is passed from page to page via a cookie (in most cases, at least) -- by default, called PHPSESSID.

The session extension uses that cookie to determine which session is associated to the current user.

Basically, there is nothing you have to do : PHP deals with loading and saving data from and to $_SESSION automatically ;-)


For more informations, you can take a look at the Session Handling section of the PHP manual, and, more specifically :

  • Passing the Session ID
  • session.use_cookies and a couple of other related configuration directives
0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜