Session setup

from the Artful MySQL Tips List

PHP names a session PHPSESSID unless a different session name is passed via session_name(). You might think this is OK for scripts running in non-tabbed browsers, but tabbed browser pages running simultaneously can see one another's session data if they share a session name. That's probably not what you have in mind. Here is a simple solution for the problem:

1. On the far side of a secure login--that is, after the user is authenticated--have the first session-enabled script of your PHP application require_once( 'session_start.php' ), which assigns a unique microtime-based name to a session before starting it:

// session_start.php
ini_set"session.gc_maxlifetime"1800 );
$session_name 'sess' str_replace"."""microtime(true));
session_name$session_name );

2. In every other session-enabled page of your app, require_once('session_continue.php'):

// session_continue.php
if( isset( $_GET['_sess'] )) $session_name $_GET['_sess'];
else if( isset( 
$_POST['_sess'] )) $session_name $_POST['_sess'];
else die( 
"Session configuration error<br>\n" );
session_name$session_name );

3. Keep both these scripts outside the web document directory tree, for example in PHP_INSTALL_DIR/includes.

4. When calling a page that needs session data, pass the session name in the form, eg:

printf("<INPUT type='hidden' name='_sess' value='%s'>\n", $session_name);
or if there is no form, specify the session name in the URL, eg:

header( "Location: pagetocall.php?_sess=" . session_name() );
As you see in the code, session_continue.php will pick up the session name.

Last updated 22 May 2009

Return to the Artful MySQL Tips page