Edit report at http://bugs.php.net/bug.php?id=16349&edit=1
ID: 16349 Updated by: [email protected] Reported by: adam at adeptsoftware dot com Summary: no way to tell if a session exists without starting it -Status: Open +Status: Bogus Type: Feature/Change Request -Package: Feature/Change Request +Package: *General Issues Operating System: WinXP PHP Version: 4.1.2 Block user comment: N Private report: N New Comment: you can check whether the session cookie or url parameter exists Previous Comments: ------------------------------------------------------------------------ [2010-05-04 08:43:03] edwardmillen at aol dot com I've just found a potentially exploitable hole which is opened up by not always starting the session (as described in my previous comment), if your server has register_globals turned on. So just in case, to close the hole and keep things properly secure, the first line of code in my previous comment should be changed to this: if(isset($_COOKIE[session_name()])){session_start();}else{unset($_SESSION);} ------------------------------------------------------------------------ [2010-05-04 07:59:31] edwardmillen at aol dot com I've just run into this issue myself (or one of the issues mentioned here anyway, I wanted to only start a session if the user is already logged in, or at the point of logging in with a correct username/password, rather than starting a session for every unauthenticated page request). I've found one way round it which seems to work for me at least, which is to check whether the session cookie is set, like so: if(isset($_COOKIE[session_name()])){session_start();} (the session name, and therefore the name of the cookie, is normally PHPSESSID by default, and the value of that cookie should be the session ID if you need it) I then used the following code in the login page after successful verification of the username/password, before starting to set session variables: if(session_id()==''){session_start();} Obviously this method will only work with cookie-based sessions, I haven't looked into how exactly PHP handles URL-based sessions, but I expect it would just be a matter of checking $_GET as well as $_COOKIE. Also, this obviously won't help if you need to check whether a given session ID already exists on the server or not, which I think is a slightly different issue. ------------------------------------------------------------------------ [2009-07-20 09:46:34] schung at iboxweb dot com I agree, a session_exists() is needed. There is no other good way to check whether a session exists. This is still a needed feature. ------------------------------------------------------------------------ [2006-08-30 07:50:48] stefan at stefankoopmanschap dot nl I have a similar issue. I pass the session ID in XML communication between a desktop application and my server. When a request comes in, I want to ensure that a session with the passed session id exists before I start it. It seems this is not possible at the moment. I am, by the way, using PHP5, not PHP4. An additional session_exists() feature would be great! ------------------------------------------------------------------------ [2005-10-28 23:30:32] jon at fuck dot org it would be great to be able to get the correct session_id() before starting a session. currently, said function returns null if the session has not started yet, whether or not there is an existing one. the overhead of creating the session is the problem, though, so if doing so is still necessary in order to retrieve the id, then some other means -- i.e., a session_exists() function -- would be sufficient for cutting the overhead when managing ungodly amounts of sessions. ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/bug.php?id=16349 -- Edit this bug report at http://bugs.php.net/bug.php?id=16349&edit=1
