Re: $_SESSION, autostart

From: Adriaan (red_at_de.solidareit)
Date: 07/06/04 

Date: Tue, 6 Jul 2004 19:12:30 +0200

"Jeff Sandler" wrote
> I read some on php.net and found that session_autostart has to
> be set to true in order for me to use $_SESSION variables at all.
> Am I reading that right?

No, read on. If you still know where you've read that then please anotate
that very page with whatever you're learning here...

> Obviously, I have no control over this setting on someone
> else's server so I cannot change it.

This is your lucky day ;-) Note that http://php.net/session states
PHP_INI_ALL for this option, so you can also override in the PHP script
itself (well, that could hardly be called "auto start" then; use
session_start() instead) or when using Apache you can enable it in a
.htaccess file in your script's directory, or even in your own root
directory. See http://php.net/ini-set and
http://php.net/configuration.changes

Note that the correct full name is

    session.auto_start

so for Apache you'd use

    php_flag session.auto_start on

Note that using session.auto_start is not always a good choice: you cannot
put any objects in your session... Again, read http://php.net/session or
read on to use session_start()...

> I tried putting session_start(); at the very beginning of
> the first script. No change.

When not using the auto start setting, you need the session_start() in every
script that is invoked by your visitor (as in: every page, even if it is not
using any session data, in order to keep the session alive when the visitor
is not accepting cookies), not just in the first one.

In general, you'll see if sessions are working if PHP is trying to set a
cookie. Type

    javascript:alert(document.cookie);

in the Location / URL / Address field of your browser to see if any cookie
is set. Furthermore, on the very first page that you started the session on,
you *might* find that all relative URLs have a PHPSESSID GET parameter
appended to them (depends on your settings).

Adriaan.

Relevant Pages

  • Re: CSS, CSS & let me give you some more CSS
    ... | I can't help feel the importance of these cross-site-scripting attacks is ... You can grab a session cookie which can give you a hijacked login. ... receive the script after logging in, so the attacker need not know ...
    (Vuln-Dev)
  • Re: stupid IE7 question
    ... closer look on session handling. ... Obscure methods like hiding an URI always ... rewrites itself to another script of yours with the session key as the ... I am currently testing a proprietary secure web based ...
    (Pen-Test)
  • Re: (Sloppy correction) Re: session management with database: optimal parameters in php.ini
    ... looking then another script read N! ... make it so simple that there are obviously no deficiencies, ... but I never used their db session management ... I avoid MySQL since I consider it an inferior db. ...
    (alt.php)
  • Re: session id
    ... > I'm doing a web site with a log ... > so how do session IDs work to get ... if you call session_startat the beginning of every script. ... either in the URL or by a cookie in the user's browser. ...
    (alt.php)
  • Re: Why wont my script mail in explorer, but ok in Firefox?
    ... script which takes post values from a form and sends them to a DB. ... It appears that my session variables are ok. ... One could be a possible difference in cookie handling between the two browsers, ...
    (comp.lang.php)