You should have a basic knowledge and understanding of sessions and session handling in PHP for this tutorial.Here we go,i suppose you know the two methods how PHP can transport the session id from one page to another
Cookies:
the session id (sid) is stored in a cookie on the users computer and deleted automatically when the user closes the browser (-> leaves the site) If PHP4 is compiled with the --enable-trans-sid option you can set session.use_trans_sid to 1 in the php.ini to force PHP to automatically add the PHPSESSID parameter to every url.These methods are definetly not the best because they either require the user to have cookies activated (which probably 20% of them have not) or PHP needs to grep each file for <a links to add the &PHPSESSID=4efw... parameter to each url.I'll show you 3 quick and clever methods to circumvent most of the negative aspects of PHP's built in session id handling:1. Dynamic PathsHave you ever been on amazon.com (i bet you have) and checked your url? It looks similar to the following:  I guess you already noticed that the session id is put after the filename at amazon.com; these concept works because when the webserver finds a file (in our case home.html) it doesn't look at the further characters in the url any more. But the session id is there.To access the session id you have to parse the path manually. Take a look at this little code snippet:
function session_start_from_path(){ global $HTTP_HOST,$REQUEST_URI; ereg("(.{32})$",$REQUEST_URI,$regs); $session_id = $regs[1]; if(!isset($session_id) || empty($session_id)) { srand((double)microtime()*1000000); $session_id = md5(uniqid(rand())); $destination = "http://$HTTP_HOST$REQUEST_URI/$session_id"; header("Location: $destination"); } session_id($session_id); session_start();}
Use this function instead of your session_start() function and it will check if the url contains a trailing session id, if not it generates one and redirects to itself but with the url containing the session id.
Dynamic Paths with mod_rewrite
Another approach is to generate dynamic paths with apache's mod_rewrite module, resulting in url's like that:http://www.ca-osi.com/8fe9w8f98eaw98fa9f983/submit.phpFor this method you need to tweak your apache configuration a bit. Insert the following lines into your apache configuration file for the main host:
RewriteEngine OnRewriteBase /RewriteRule ^[0-9a-z]{32}/(.+) /$1
This will cut the 32 character session id from the url and send the query to the webserver, letting the user's url untouched.Please refer to the apache/mod_rewrite documentation if you don't know how to activate mod_rewrite.So we get another function, slightly different from the one before, to extract our session id from the url:
function session_start_from_rewrite(){ global $HTTP_HOST,$REQUEST_URI; ereg("/([0-9a-z]{32})",$REQUEST_URI,$regs); $session_id = $regs[1]; if(!isset($session_id) || empty($session_id)) { srand((double)microtime()*1000000); $session_id = md5(uniqid(rand())); $destination = "http://$HTTP_HOST/$session_id$REQUEST_URI"; header("Location: $destination"); } session_id($session_id); session_start();}
Simply use this function instead of your session_start() call. These function does the same as the one mentioned above except for the mod_rewrite url
style.
Dynamic Hosts
The last method i'd like to show you is using dynamic hosts for transporting your session id. This works only on webservers where dns wildcards are set, e.g. bleh.company.com, m00.company.com ... all point to company.com or www.company.com. This'd looke like that in your nameserver configuration:
*.company.com IN A 194.29.41.112
Already got the point? Yeah, we can now have urls in the form: http://fa98fe99efu39f9ue9wf.company.com/test.phpWe can now modify our function to start a session from a dynamic host sid url:
function session_start_from_host($host){ global $HTTP_HOST,$PHP_SELF; ereg("([^\.]{32})\.",$HTTP_HOST,$regs); $session_id = $regs[1]; if(!isset($session_id) || empty($session_id)) { srand((double)microtime()*1000000); $session_id = md5(uniqid(rand())); $destination = "http://$session_id.$host$PHP_SELF"; header("Location: $destination"); } session_id($session_id); session_start();}
Just use this function as described before.These simple tricks can help you transporting your session ids without changing every link in your scripts.Thanks for reading my small tutorial,elybis[elybis@chowned.us]
This article was originally written by elybis |
Copyright Open Source Institute, 2006 
