0

I am learning to use PHP sessions, when a problem occured.

I was using some blank pages to test the PHP sessions' functions, and I had started a session on those pages with a specific id (something simple).

In the parent directory, there was my project for school, with DID NOT had the sessions implemented yet. Only some basic PHP to write/read a .txt file.

When I opened up my project page, I noticed the CSS was gone. Weird, I thought, because I had not modified the project's files since the day before. I opened up the inspector in Chrome, and had noticed that in my <style> href attribute, there was not style.css but rather style.css; PHPSESSIDwhich was weird, because I hadn't started ANY session on ANY pages this page was linked to.

It also overrode my CSS cookie I had created with JavaScript (just something like css_page='style.css'). And it also borked my CSS on all pages of the project (the CSS styles did not load).

My question is, why does a PHPSESSID variable end up in a place that was not between <?php and ?>, when the session_start() function was not called in the page ? And then, how can I prevent it from overriding ALL cookies on the site ?

Edit : As a request from Martin, here is some code :

Page where I started a session just to do some testing :

<?php
session_id("you");
session_start();
?>
<html>
<head>
   <title>Test</title>
</head>
<body>
  <?php
    echo "Bonjour<br/>";
    $_SESSION["pre"] = "firstName";
    $_SESSION["nom"] = "lastName";
    $_SESSION["idd"] = "identifiernumber";
    echo $_SESSION["pre"]."<br/>";
    echo $_SESSION["nom"]."<br/>";
    echo $_SESSION["idd"]."<br/>";
    print_r($_SESSION);
  ?>
</body>
</html>

Page where I noticed the borked CSS :

<html>
<head>
  <meta charset="utf-8">
  <link id="css" rel="stylesheet" type="text/css" href="style.css">
  <script src="fonctions.js"></script>
</head>
<body onload="createcookie()">
  <!-- Some text in divs, nothing in php -->
</body>
</html>

fonctions.js file :

function changeCSS(){
    var sheet = document.getElementById('css').getAttribute('href');
    if (sheet == "style.css") {document.getElementById('css').setAttribute('href', 'style2.css');}
    else {document.getElementById('css').setAttribute('href', 'style.css');}
}
function chooseCSS(style) {
    document.getElementById('css').setAttribute('href', style);
}
function checkCookie(coo) {
    var cuki = document.cookie;
    var ind = cuki.indexOf(coo);
    if (ind != -1) {return true;}
    else {return false;}
}
function createcookie() {
    if (!checkCookie('css')) {
        foo = document.getElementById('css').getAttribute('href');
        if (foo == "") {foo = "style.css"};
        document.cookie = "css=" + foo;
    }
    var x = document.cookie.split("=");
    chooseCSS(x[1]);
}

Note : in another test php page, I used the following functions (in that order) :

<?php
  session_start();
  $_SESSION = array();
  session_destroy();
?>

I wanted to close/destroy the session completely, because I need at least two sessions and a 'guest' mode (no session turned on).

Thibault de Villèle
  • 105
  • 8
  • 1) Someone else edited your pages. 2) Your pages have been compromised (poorly) 3) You copy/pasted without realising 4) please show code of the page this occurs on. – Martin Apr 30 '16 at 22:29
  • I can't see your `style` attribute which you referencein your question. Can you please post the page that displays the unexpected `PHPSESSID` . cheers – Martin May 01 '16 at 12:40

1 Answers1

0

Some general notes on PHP sessions:

  • Do NOT set session id values yourself, but allow PHP to auto generate them. This is much more secure and decreases the chance of Session Hyjacking.

  • Sessions should not be used in the URL line, instead being transfered more under the hood, than being obivous (and therefore easier to manipulate by) the end user.

  • Set session parameters in the php.ini file or with ini_set at the top of the page (typically with an include).

php.ini example:

session.savepath=/home/directory/custom_session_folder
session.name=a_custom_session_name
session.cookie_httponly=1 /* So not passed in URL */
session.cookie_secure=0 /* set to 1 for HTTPS cookies */
session.entropy_file=/dev/urandom /* better more secure session id generation */
session.hash_function=whirlpool /* same, better way of generating session hashes */
session.use_trans_sid=0 /* turn off transferable id's */
  • Turn on error reporting for your PHP scripts with the following lines at the top of your page:

PHP page example (top):

  ini_set('display_errors', 1);
  ini_set('display_startup_errors', 1);
  error_reporting(E_ALL);

  • If you want different sessions for different users or different activities on your website you need to set different session names not the session id.

  • It is a better approach to have sessions for everyone, those "logged in" and those who are not, simply with saving a flag in your session data to define which is which, this will sidestep lots of potential consistency issues on a more developed website.

example:

$_SESSION['loggedin'] = true / false;
Community
  • 1
  • 1
Martin
  • 22,212
  • 11
  • 70
  • 132
  • Thanks for your answer, but what about the PHPSESSID who puts himself in the href of my `` for the css ? What is creating it / how could I avoid that ? – Thibault de Villèle May 01 '16 at 14:47
  • @ThibaultdeVillèle please update your question as per my comment earlier. You need to show us the page where the issue is occuring. not other random pages you're putting session data on. cheers – Martin May 01 '16 at 19:24