Re: [PHP] Question about session_id() and session_start()
On 20/05/2013, Maciek Sokolewicz maciek.sokolew...@gmail.com wrote: On 20-5-2013 22:14, Tim Schofield wrote: Matijn There are well over half a million lines of source code in PHP. It seems a little unhelpful to tell someone to go and read half a million lines of C when you could just tell them the answer? Thanks Tim Course View Towers, Plot 21 Yusuf Lule Road, Kampala T +256 (0) 312 314 418 M +256 (0) 752 963 325 www.weberpafrica.com Twitter: @TimSchofield2 Blog: http://weberpafrica.blogspot.co.uk On May 20, 2013 6:24 PM, Matijn Woudt tijn...@gmail.com wrote: On Mon, May 20, 2013 at 5:33 AM, 孟远涛 yuantao.m...@gmail.com wrote: I find the Note in PHP document. http://www.php.net/manual/en/function.session-id.php Note: When using session cookies, specifying an id for session_id() will always send a new cookie when session_start() is called, regardless if the current session id is identical to the one being set. I feel puzzled about this feature. Even if the current session id is identical to the one one being set, session_start will send a new cookie. I want to know why session_start behave in this way. Forgive my poor English. Thanks in advance. You will find the answer in the PHP source code. If you don't want this to happen, check if the current session id matches with the value you want to set it to, and don't set if they match. - Matijn Tim, first of all, please bottom-post on this list. Tell that to the designers of the android gmail app :-) Secondly, a simple google search for php c session_start resulted in this: https://github.com/php/php-src/blob/master/ext/session/session.c#L1303 That wasn't the advice given. The advice given was to read the source code. My point was that is not very helpful advice. With a few notable exceptions the help given on this list has become less and less friendly over the years I have been reading it. This can't be good for the PHP community. - Tul Tim -- Course View Towers, Plot 21 Yusuf Lule Road, Kampala T +256 (0) 312 314 418 M +256 (0) 752 963 325 www.weberpafrica.com @TimSchofield2 Blog: http://weberpafrica.blogspot.co.uk/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Question about session_id() and session_start()
thank you. I read the source code and it helps a lot, now I know the behavior of the code is consistent with the NOTE. I think the reason is that If the 'new' session_id we want to set already exists on the server, but does not exist on the client's cookie, the server must send a set-cookie header to the client. On Tue, May 21, 2013 at 3:50 PM, Tim Schofield t...@weberpafrica.com wrote: On 20/05/2013, Maciek Sokolewicz maciek.sokolew...@gmail.com wrote: On 20-5-2013 22:14, Tim Schofield wrote: Matijn There are well over half a million lines of source code in PHP. It seems a little unhelpful to tell someone to go and read half a million lines of C when you could just tell them the answer? Thanks Tim Course View Towers, Plot 21 Yusuf Lule Road, Kampala T +256 (0) 312 314 418 M +256 (0) 752 963 325 www.weberpafrica.com Twitter: @TimSchofield2 Blog: http://weberpafrica.blogspot.co.uk On May 20, 2013 6:24 PM, Matijn Woudt tijn...@gmail.com wrote: On Mon, May 20, 2013 at 5:33 AM, 孟远涛 yuantao.m...@gmail.com wrote: I find the Note in PHP document. http://www.php.net/manual/en/function.session-id.php Note: When using session cookies, specifying an id for session_id() will always send a new cookie when session_start() is called, regardless if the current session id is identical to the one being set. I feel puzzled about this feature. Even if the current session id is identical to the one one being set, session_start will send a new cookie. I want to know why session_start behave in this way. Forgive my poor English. Thanks in advance. You will find the answer in the PHP source code. If you don't want this to happen, check if the current session id matches with the value you want to set it to, and don't set if they match. - Matijn Tim, first of all, please bottom-post on this list. Tell that to the designers of the android gmail app :-) Secondly, a simple google search for php c session_start resulted in this: https://github.com/php/php-src/blob/master/ext/session/session.c#L1303 That wasn't the advice given. The advice given was to read the source code. My point was that is not very helpful advice. With a few notable exceptions the help given on this list has become less and less friendly over the years I have been reading it. This can't be good for the PHP community. - Tul Tim -- Course View Towers, Plot 21 Yusuf Lule Road, Kampala T +256 (0) 312 314 418 M +256 (0) 752 963 325 www.weberpafrica.com @TimSchofield2 Blog: http://weberpafrica.blogspot.co.uk/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Question about session_id() and session_start()
On Mon, May 20, 2013 at 5:33 AM, 孟远涛 yuantao.m...@gmail.com wrote: I find the Note in PHP document. http://www.php.net/manual/en/function.session-id.php Note: When using session cookies, specifying an id for session_id() will always send a new cookie when session_start() is called, regardless if the current session id is identical to the one being set. I feel puzzled about this feature. Even if the current session id is identical to the one one being set, session_start will send a new cookie. I want to know why session_start behave in this way. Forgive my poor English. Thanks in advance. You will find the answer in the PHP source code. If you don't want this to happen, check if the current session id matches with the value you want to set it to, and don't set if they match. - Matijn
Re: [PHP] Question about session_id() and session_start()
Matijn There are well over half a million lines of source code in PHP. It seems a little unhelpful to tell someone to go and read half a million lines of C when you could just tell them the answer? Thanks Tim Course View Towers, Plot 21 Yusuf Lule Road, Kampala T +256 (0) 312 314 418 M +256 (0) 752 963 325 www.weberpafrica.com Twitter: @TimSchofield2 Blog: http://weberpafrica.blogspot.co.uk On May 20, 2013 6:24 PM, Matijn Woudt tijn...@gmail.com wrote: On Mon, May 20, 2013 at 5:33 AM, 孟远涛 yuantao.m...@gmail.com wrote: I find the Note in PHP document. http://www.php.net/manual/en/function.session-id.php Note: When using session cookies, specifying an id for session_id() will always send a new cookie when session_start() is called, regardless if the current session id is identical to the one being set. I feel puzzled about this feature. Even if the current session id is identical to the one one being set, session_start will send a new cookie. I want to know why session_start behave in this way. Forgive my poor English. Thanks in advance. You will find the answer in the PHP source code. If you don't want this to happen, check if the current session id matches with the value you want to set it to, and don't set if they match. - Matijn
Re: [PHP] Question about session_id() and session_start()
On Mon, May 20, 2013 at 4:14 PM, Tim Schofield t...@weberpafrica.com wrote: Matijn There are well over half a million lines of source code in PHP. It seems a little unhelpful to tell someone to go and read half a million lines of C when you could just tell them the answer? Thanks Tim Course View Towers, Plot 21 Yusuf Lule Road, Kampala T +256 (0) 312 314 418 M +256 (0) 752 963 325 www.weberpafrica.com Twitter: @TimSchofield2 Blog: http://weberpafrica.blogspot.co.uk On May 20, 2013 6:24 PM, Matijn Woudt tijn...@gmail.com wrote: On Mon, May 20, 2013 at 5:33 AM, 孟远涛 yuantao.m...@gmail.com wrote: I find the Note in PHP document. http://www.php.net/manual/en/function.session-id.php Note: When using session cookies, specifying an id for session_id() will always send a new cookie when session_start() is called, regardless if the current session id is identical to the one being set. I feel puzzled about this feature. Even if the current session id is identical to the one one being set, session_start will send a new cookie. I want to know why session_start behave in this way. Forgive my poor English. Thanks in advance. You will find the answer in the PHP source code. If you don't want this to happen, check if the current session id matches with the value you want to set it to, and don't set if they match. - Matijn I guess it would be to help prevent session hijacks like explained here http://stackoverflow.com/questions/12233406/preventing-session-hijacking
Re: [PHP] Question about session_id() and session_start()
On 20-5-2013 22:14, Tim Schofield wrote: Matijn There are well over half a million lines of source code in PHP. It seems a little unhelpful to tell someone to go and read half a million lines of C when you could just tell them the answer? Thanks Tim Course View Towers, Plot 21 Yusuf Lule Road, Kampala T +256 (0) 312 314 418 M +256 (0) 752 963 325 www.weberpafrica.com Twitter: @TimSchofield2 Blog: http://weberpafrica.blogspot.co.uk On May 20, 2013 6:24 PM, Matijn Woudt tijn...@gmail.com wrote: On Mon, May 20, 2013 at 5:33 AM, 孟远涛 yuantao.m...@gmail.com wrote: I find the Note in PHP document. http://www.php.net/manual/en/function.session-id.php Note: When using session cookies, specifying an id for session_id() will always send a new cookie when session_start() is called, regardless if the current session id is identical to the one being set. I feel puzzled about this feature. Even if the current session id is identical to the one one being set, session_start will send a new cookie. I want to know why session_start behave in this way. Forgive my poor English. Thanks in advance. You will find the answer in the PHP source code. If you don't want this to happen, check if the current session id matches with the value you want to set it to, and don't set if they match. - Matijn Tim, first of all, please bottom-post on this list. Secondly, a simple google search for php c session_start resulted in this: https://github.com/php/php-src/blob/master/ext/session/session.c#L1303 - Tul -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Question about session_id() and session_start()
On Mon, May 20, 2013 at 10:46 PM, David OBrien dgobr...@gmail.com wrote: On Mon, May 20, 2013 at 4:14 PM, Tim Schofield t...@weberpafrica.com wrote: Matijn There are well over half a million lines of source code in PHP. It seems a little unhelpful to tell someone to go and read half a million lines of C when you could just tell them the answer? Thanks Tim Course View Towers, Plot 21 Yusuf Lule Road, Kampala T +256 (0) 312 314 418 M +256 (0) 752 963 325 www.weberpafrica.com Twitter: @TimSchofield2 Blog: http://weberpafrica.blogspot.co.uk On May 20, 2013 6:24 PM, Matijn Woudt tijn...@gmail.com wrote: On Mon, May 20, 2013 at 5:33 AM, 孟远涛 yuantao.m...@gmail.com wrote: I find the Note in PHP document. http://www.php.net/manual/en/function.session-id.php Note: When using session cookies, specifying an id for session_id() will always send a new cookie when session_start() is called, regardless if the current session id is identical to the one being set. I feel puzzled about this feature. Even if the current session id is identical to the one one being set, session_start will send a new cookie. I want to know why session_start behave in this way. Forgive my poor English. Thanks in advance. You will find the answer in the PHP source code. If you don't want this to happen, check if the current session id matches with the value you want to set it to, and don't set if they match. - Matijn I guess it would be to help prevent session hijacks like explained here http://stackoverflow.com/questions/12233406/preventing-session-hijacking How would it help preventing session hijacking if it was sending the a new cookie with the same session id? - Matijn
Re: [PHP] Question about session_id() and session_start()
On May 20, 2013 8:45 PM, Matijn Woudt tijn...@gmail.com wrote: On Mon, May 20, 2013 at 10:46 PM, David OBrien dgobr...@gmail.com wrote: On Mon, May 20, 2013 at 4:14 PM, Tim Schofield t...@weberpafrica.com wrote: Matijn There are well over half a million lines of source code in PHP. It seems a little unhelpful to tell someone to go and read half a million lines of C when you could just tell them the answer? Thanks Tim Course View Towers, Plot 21 Yusuf Lule Road, Kampala T +256 (0) 312 314 418 M +256 (0) 752 963 325 www.weberpafrica.com Twitter: @TimSchofield2 Blog: http://weberpafrica.blogspot.co.uk On May 20, 2013 6:24 PM, Matijn Woudt tijn...@gmail.com wrote: On Mon, May 20, 2013 at 5:33 AM, 孟远涛 yuantao.m...@gmail.com wrote: I find the Note in PHP document. http://www.php.net/manual/en/function.session-id.php Note: When using session cookies, specifying an id for session_id() will always send a new cookie when session_start() is called, regardless if the current session id is identical to the one being set. I feel puzzled about this feature. Even if the current session id is identical to the one one being set, session_start will send a new cookie. I want to know why session_start behave in this way. Forgive my poor English. Thanks in advance. You will find the answer in the PHP source code. If you don't want this to happen, check if the current session id matches with the value you want to set it to, and don't set if they match. - Matijn I guess it would be to help prevent session hijacks like explained here http://stackoverflow.com/questions/12233406/preventing-session-hijacking How would it help preventing session hijacking if it was sending the a new cookie with the same session id? - Matijn I was thinking if I was sitting in a cafe and someone was sniffing and tried to use my session info they would get a new session id where I would still have my original one so they wouldn't be able to hijack mine trying to reuse the same id I have since php would generate a new one No?
Re: [PHP] Question about session_id() and session_start()
Op 21 mei 2013 03:59 schreef David OBrien dgobr...@gmail.com het volgende: On May 20, 2013 8:45 PM, Matijn Woudt tijn...@gmail.com wrote: On Mon, May 20, 2013 at 10:46 PM, David OBrien dgobr...@gmail.com wrote: On Mon, May 20, 2013 at 4:14 PM, Tim Schofield t...@weberpafrica.com wrote: Matijn There are well over half a million lines of source code in PHP. It seems a little unhelpful to tell someone to go and read half a million lines of C when you could just tell them the answer? Thanks Tim Course View Towers, Plot 21 Yusuf Lule Road, Kampala T +256 (0) 312 314 418 M +256 (0) 752 963 325 www.weberpafrica.com Twitter: @TimSchofield2 Blog: http://weberpafrica.blogspot.co.uk On May 20, 2013 6:24 PM, Matijn Woudt tijn...@gmail.com wrote: On Mon, May 20, 2013 at 5:33 AM, 孟远涛 yuantao.m...@gmail.com wrote: I find the Note in PHP document. http://www.php.net/manual/en/function.session-id.php Note: When using session cookies, specifying an id for session_id() will always send a new cookie when session_start() is called, regardless if the current session id is identical to the one being set. I feel puzzled about this feature. Even if the current session id is identical to the one one being set, session_start will send a new cookie. I want to know why session_start behave in this way. Forgive my poor English. Thanks in advance. You will find the answer in the PHP source code. If you don't want this to happen, check if the current session id matches with the value you want to set it to, and don't set if they match. - Matijn I guess it would be to help prevent session hijacks like explained here http://stackoverflow.com/questions/12233406/preventing-session-hijacking How would it help preventing session hijacking if it was sending the a new cookie with the same session id? - Matijn I was thinking if I was sitting in a cafe and someone was sniffing and tried to use my session info they would get a new session id where I would still have my original one so they wouldn't be able to hijack mine trying to reuse the same id I have since php would generate a new one No? If you read the original question correctly, it's about a *new cookie* with the *same session id*. Second, if somebody is sniffing you he would also be able to grab the new session id, and yours (old and new one) will be useless if he uses the new session id before you do. Avoiding session hijacking is not that easy, it's much easier to just use an SSL connection. At least that protects you from someone sniffing on a public wifi, but it does not help against sniffing viruses, malicious browser extensions or cross site scripting attacks. Since it's off topic, I'll end here. If you want to learn more, Google is your best friend! - Matijn
[PHP] Question about session_id() and session_start()
I find the Note in PHP document. http://www.php.net/manual/en/function.session-id.php Note: When using session cookies, specifying an id for session_id() will always send a new cookie when session_start() is called, regardless if the current session id is identical to the one being set. I feel puzzled about this feature. Even if the current session id is identical to the one one being set, session_start will send a new cookie. I want to know why session_start behave in this way. Forgive my poor English. Thanks in advance.
