php login - should i delete the previous session and regenerating session id

Hi

On php login pages is it good practice to delete the previous session in case the user didn't log out properly or is this overkill?

I also read this in the manual comments about session id

Also its always good to ensure every valid session is checked against an ip. One good method is to store the session id and remote ip information in a table, or better store the ip as a session variable itself, once the user logs in and ensure that this is continued for remaining pages for security. This ofcourse wont work when users use the same office or shared network as the ip to the outside world is the same.

Open in new window


I've seen people check the session id as an authenticatiob method (if(!isset($_SESSION['id']))) but id rather not  check the session_id as this doesnt seem secure because of hijacking/fixation. Is it ok to regenerate the session_id on every other  page?

session_start();
session_regenerate_id();

As far as i am aware i dont need to use the session id for anything , or is there something I have overlooked and do need it?In essence I'm checking I'm not losing my session id when i might need it later

many thank
andiejeAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dave BaldwinFixer of ProblemsCommented:
No, it really doesn't work that way.  You probably should read http://php.net/manual/en/book.session.php to see how PHP sessions work.  The two most important functions are session_start and session_destroy.

The session id is in the session cookie that is set.  session_start() checks to see if there is a cookie with a current session with that id.  If there is not, it creates a new unique session id and sets a session cookie with that id.  It is important that session_start() be at the top of each and every PHP page that is going to be used in the session.  That id is used to find any $_SESSION variables that you might have set.

Also note that session id's are set in 'session cookies'.  'session cookies' expire when the browser is completely closed so the next time your client opens their browser and goes to your page, they get a new session id.  Also, sessions do have an in-activity timeout of 24 minutes / 1440 seconds.  After that they are subject to being expired the next time that PHP does 'garbage collection' on the server.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
andiejeAuthor Commented:
I have read the manual but some of the code I am seeing isnt doing what i expect.


If you create a session cookie (session-set-cookie-params) , call session_start , set some session variables, (and then load the page) how does php respond if you delete the cookie and refresh the page? It seems to start a new session and you can't access your previous session variables.

I would expect this

However if i then add the cookie back manually that I deleted I can get to the previous session variables. So even though php started a new session because there was no session cookie, it didnt destroy or clear out the previous session array. Hence why i thought you should clear out and delete the previous session. I know you would need the previous id to access them but they're still hogging up memory and it still feels vulnerable that they are hanging around like that
0
Ray PaseurCommented:
This article gives an explanation of the design pattern.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391-PHP-login-logout-and-easy-access-control.html

To have a complete understanding of the process you may want to brush up on the details of HTTP Client/Server behaviors.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/A_11271-Understanding-Client-Server-Protocols-and-Web-Applications.html

And if you have any questions about PHP sessions, you'll be glad to know they are simpler than many may think.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_11909-PHP-Sessions-Simpler-Than-You-May-Think.html
0
Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Dave BaldwinFixer of ProblemsCommented:
You're seeing exactly what you should be expecting.  In between changing cookies, there was Nothing done to destroy the session... so why wouldn't it be there?  The session time-out is for 24 minutes of No activity meaning none of the pages with session_start were accessed for 24 minutes... plus, the 'garbage collection' is not done with every access.  In order to keep the load down on the server, it is done on a 'probability' basis and maybe once in every 100 or 1000 page requests.  

The session time-out is Not to create a 'logout' but to clean up the server when there is no activity.  If you want to set a real limit on the time-out, you have to do that in your own code.

For 'logouts', read the page on session_destroy.  There are multiple steps to get that to work right.  On my pages, I start a new session AFTER destroying the old one and it's data to make sure the person is 'logged out' and no longer able to get the data from the previous session.  This is very useful in a shopping cart to make sure the prevous order data is no longer in the cart.
0
Ray PaseurCommented:
Also its always good to ensure every valid session is checked against an ip. One good method is to store the session id and remote ip information in a table, or better store the ip as a session variable itself, once the user logs in and ensure that this is continued for remaining pages for security. This of course wont work when users use the same office or shared network as the ip to the outside world is the same.
Right about the "won't work" part, at least.  I would avoid a check like that since its false positives will make your web site fail and you'll find yourself explaining technical details to angry users who really don't want to hear about the details -- they just want the site to work.   Once you truly understand PHP sessions, you'll be able to rest easy.
0
andiejeAuthor Commented:
If you think i should ignore the ip check i wil but you can still get orphan sessions with php data and no key wasting memory if users dont log out. Or perhaps they will be logged in as someone else with higher priviledges

Ive read the docs and believe i understatnd how they work.  I  aslo read your link

2. PHP looks to see if a session cookie is associated with the request. If a cookie is found, PHP attempts to load the preexisting session data into the $_SESSION array.  The data may be present or it may have been deleted by the GC.  To the extent that the session data is found, it is loaded into the superglobal $_SESSION array.  If no cookie is found, obviously no session data can be found, and no action will occur at this point.

ok but last example did just show that orphan cookie data just sits there using up valuable resources.
thanks
0
Dave BaldwinFixer of ProblemsCommented:
I must have a dozen sites at the moment that use sessions and session cookies.  'orphan' sessions and cookies have never been a problem because they always get cleaned up.  A PHP session cookie takes up less than 1KB and that's not a problem on any recent hard drive, even a 'small' 80GB drive.
If no cookie is found, obviously no session data can be found, and no action will occur at this point.
That's not true.  A new session will be started.  That is the purpose of putting 'session_start()' at the top of all the pages.
if users dont log out
PHP garbage collection is not based on 'logging out'.  Either a 'session_destroy()' statement or an inactivity timeout will remove the old session data.

You're talking like this is a big problem when it is not.  Ray and I do this stuff for many sites everyday.  There are details that do need to be taken care of but it's not that difficult.  Everything you need to know is in the Sessions pages on 'php.net'.  Look there first.  http://php.net/manual/en/book.session.php
0
Ray PaseurCommented:
Exactly what Dave Baldwin said!  It's easy to overthink this stuff.  The authors of PHP have done a lot of the design and thinking for us.
0
andiejeAuthor Commented:
Hi

Isnt this a contradiction?

ID: 40451288;

That's not true.  A new session will be started.  That is the purpose of putting 'session_start()' at the top of all the pages.

I quoted the what you said wasn't true from the article
0
Dave BaldwinFixer of ProblemsCommented:
No, that's the way it is supposed to work.  'session_start()' will either resume a currently existing session or create a new one.  It will not do 'nothing'.
0
Ray PaseurCommented:
You might want to go back and read the linked articles carefully, for understanding.  There are a lot of moving parts to the things you're asking about (people get PhD's for designing these systems) and it takes a year or two of college to understand all the details.  Obviously we can't give you that depth of understanding in an answer to a question, but the articles try to hit all the important points.  If there is anything you did not understand in these articles please post back and I'll try to clarify the articles as well as explain the design patterns behind the complex interactions described in the articles and the technologies.

This answer has the links to the articles:
http://www.experts-exchange.com/Programming/Languages/Scripting/PHP/Q_28562767.html#a40444899
0
andiejeAuthor Commented:
ive got a phd and its not all that intuitive! But im a java programmer so its bound to confuse me

I have double checked your article and it makes perfect sense but it does say "no action will occur" when a session will start

But i think that was a bit of unncessary pedantry dont you! (from me i mean)
0
andiejeAuthor Commented:
excellent
0
Dave BaldwinFixer of ProblemsCommented:
You're welcome, glad to help.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
PHP

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.