What are session_id, session_regenerate_id and session_name used for?
ok im a newbie on sessions开发者_开发百科 lets imagine that we have a little login site,
heres a logic
- login
- if password right = use $_SESSION[isaloginuser] = 1
- check session to see menus with if $_SESSION[isaloginuser] = 1
- show the menus
- the user want to logoff
- unset session
- destroy session system
what it use
session_register
session_destroy
session_unset
session_start
where does the session_id
& the session_regenerate
or session_name
goes in ?
at php site it says
session_id() is used to get or set the session id for the current session.
i still just dont get it, why do we need them anyway ? in real environment what does it do ?
No, you don’t need to use them. In general all you need is
session_start
to start the session handling, andsession_destroy
to destroy the stored session data (this does not modify$_SESSION
), andsession_unset
to reset the$_SESSION
variable (but you can also do$_SESSION = array()
).
session_id
and session_name
are to get and set the current session ID and session ID name (default is PHPSESSID
). session_regenerate_id
can be used to regenerate/change the session ID of the current session. This might be useful if, for example, you want to refresh the session ID every 10 minutes or after changing the state of authenticity of a user associated with a session.
session_regenerate_id()
is used in order to prevent session fixation.
Session fixation means the following: You visit a website and examine your session ID. Then you manipulate another user into visiting the site using your session ID, and signing in. Now you're signed in as that user and have his privileges, because you're both using the same session.
To prevent this, give the user a new session ID using session_regenerate_id()
when he successfully signs in. Now only he has the session ID, and your old session ID is no longer valid.
session_register() is depreciated in 5.3, I would suggest against using. Instead just use
$_SESSION['varname'] = "value";
session_id it just used if you want to get the session id for storing in a database, this is not "necessary" for use. session_name, just sets a name, this is not necessary. The regenerate is if you want to do a new id, this is also not necessary unless your application needs it, for a login session, I highly doubt you will use it.
The others, I hope you understand what they do (ie the unset / destroy). But hope that gives some insight.
Session IDs are the identifier for the session. The way a server stores data about a client is in a cookie. This cookie is sent with each HTTP request to the server by that client. PHP sets a cookie to be a random string token. This token identifies the client and relates it to a set of key-value pairs. The idea of a session variable is that cookies can be easily tampered with. Session IDs, however, being random strings, are hard to duplicate and thus add security.
I usually use session_id() when creating shopping baskets so I can track what that user has added then once I have got a response back from the payment gateway that the payment was successful, I then session_regenerate() so that when they are back on to my website their previous baskets are not visible and to me its like a new user has "entered" the shop.
精彩评论