Working with Sessions
----------------------------------
sessions are the tracking timestamp for any event
whenever the session is started a event timestamp is generated
By default in php it exist till 1440 second(24 minutes)
Can it be modified ?? Yes ..How?
php.ini
session.gc_maxtime = 1440 If you modify this then You can modify the time
Q. Difference between session_unset , session_destroy and unset($_SESSION)
session_unset PHPSSID
session_destroy PHPSSID
unset($_SESSION)
Teacher => Timestamp teacher PHPSSID
Student => Timestamp student PHPSSID
session_destroy : PHPSSID t1
or TEACHER_ID t2
or STUDENT_ID t3
when you use session_destroy All the session token with timestamp will be destroyed
session_unset:
TEACHER_ID t1 same timestamp is destroyed
STUDENT_ID t2
PHPSSID t3
Current token with current token not the timestamp
it kill the varible
when session_unset and session_destroy works same
when session token is same
Imp..Topics of sessions
-------------------
1. session_token: Name of token which is shared Among Browser and server
It is name of cookie
c-client
c-cookie
s-server
s-session
session_token is same as cookie name which is stored in Browser
in server :
session_token = PHPSSID
In browser or Client
Cookie_name = PHPSSID
2. session_timestamp
By default session time out for given timestamp is 1440 second
But since timestamp is not send to browser
cookie will never expire rather replace same with token name
How to expire Cookie:
since timestamp is independent unit and time cannot be <0
hence timestamp cannot be destroy
Then how to clear the Cookie or Expire the Cookie
How to set the Cookie
setCookie('user','name',time()); // 12:30
This logic will be useful in case of Remember me.
How to replace the existing Cookie
setCookie('user','new_value',time()-300) // 12:35
How to expire Cookie
setCookie('user','',time()-300)
3. session_save_type
Where server will store the file
1. in File System //90% security (user tracking 0%)
c:/Xampp/tem p/
2. Database // 10% security (user tracking 100%)
Combination of File system + Database = 100%
tb1_session
----------------------------------------
ID | token_name |created_on| expired_on|Ip_Address
---------------------------------------------
4. session_savepath
By default session where stored in C:/Xampp/tmp
One file is Created with name
sess_<session_id>
#How to trace this file or change the path of this file
To set new path
-------------------
ini_set('session.save_path','C:\xampp\mysession');
~~~~~~~~~~~~~~~~~~~~
To get new path
-------------------
ini_get('session.save_path');
5. session_id
It is encrypted Hash key with alphanumeric Id given to a user everytime a new timestamp created_on
How to get session_id :
session_id()
But if user can get your session Id it can perform session hijacking or session fixation
How to prevents
After new time time regenerate the session_id
session_regenerate_id()
#What is session Hijacking
--------------------------------
Trying to imitate as a original even without knowing credential and fooling server by showing session_id to remain un_caught.
How session works
-------------------
Once users enters his/her username and password such that it is authenticated from server and database end server is going to maintain the user state for tracking its activity.
This tracking will be done for the specific span of timestamp time he/she may use to go for logout option and timestamp + token given to the user will be expired.
Now Question is How server Identifies this user uniquely
Step1: Authenticate the user
Step2: Alot the encrypted unique session id with a timestamp to each other
Step3: The copy of token is saved in cookie
Step4: When ever for the request for the same url is called everytime before giving access to the user server is going to match this token
If token in cookie is == to session token being store user is valid else server kicks him out.
0 Comments