5

I'm trying to get my script to use url session id instead of cookies. The following page is not picking up the variable in the url as the session id. I must be missing something.

First page http://www.website.com/start.php

ini_set("session.use_cookies",0);
ini_set("session.use_trans_sid",1);
session_start();
$session_id = session_id();
header("location: target.php?session_id=". $session_id );

Following page - http://www.website.com/target.php?session_id=rj3ids98dhpa0mcf3jc89mq1t0

ini_set("session.use_cookies",0);
ini_set("session.use_trans_sid",1);
print_r($_SESSION);
print(session_id())

Result is a different session id and the session is blank.

Array ( [debug] => no ) pt1t38347bs6jc9ruv2ecpv7o2

  • Are you using a PHP framework of some sort? Stock PHP does not automatically interpret anything in the querystring, so there is no implied linkage between $_SESSION and $_GET['session_id']. – johnvey May 06 '09 at 03:31
  • 8
    Keep in mind that putting the session ID in the url can mean that it'll be leaked via HTTP referrers... – bdonlan May 06 '09 at 03:45
  • 1
    We have our own dedicated apache server with php. It is not shared. Will this be a security risk? –  May 06 '09 at 04:01
  • 4
    Yes. The referrer issue refers to when there's a link going from your server to some outside server. When someone follows that link, the outside server will be sent the url they were previously on - including the session ID. – bdonlan May 06 '09 at 04:13
  • 1
    It could also get out if someone copy-pastes the address out of their browser into, say, an email. – Jeremy Logan May 06 '09 at 05:23

5 Answers5

6

be careful when using the url to pass session ids, that could lead to session hijacking via the referer!

stefs
  • 18,341
  • 6
  • 40
  • 47
  • how is that possible – Nuri Ensing Jan 15 '16 at 08:48
  • @bboni in theory: browsers add the url of the page the link originates from to the header (the "referer"). if the session id is a url-parameter, the linked page is now able to hijack the session. i don't know which additional safeguards php employed against this, but it's generally considered unsafe. – stefs Jan 19 '16 at 12:35
  • How is this an answer? – Majid Fouladpour Sep 11 '19 at 23:27
  • 1
    when i wrote this - 10 years ago - the rules weren't enforced as strictly as they are nowadays. you're right that this is not an answer (should be a comment). i didn't realize this back then and nobody enforced it, so here we are. – stefs Sep 19 '19 at 10:43
3

It looks like you just need to call session_start() on the second page.

From the docs:

session_start() creates a session or resumes the current one based on the current session id that's being passed via a request, such as GET, POST, or a cookie.

EDIT:

That said, you could also try manually grabbing the session id from the query string. On the second page you'd need to do something like:

ini_set("session.use_cookies",0);
ini_set("session.use_trans_sid",1);
session_id($_GET['session_id']);
print_r($_SESSION);
print(session_id());

Note that the session_id() function will set the id if you pass it the id as a parameter.

Jeremy Logan
  • 47,151
  • 38
  • 123
  • 143
  • Your first answer before you edited it helped the most. The session_id($_GET['session_id']); made the difference. –  May 06 '09 at 04:14
2

My issue was using Flash in FF (as flash piggy backs IE, so sessions are not shared between the flash object and firefox)

Using php 5.3 all these answers pointed at the truth. What I finally found to work was pretty simple.. pass the id in the query string. Set it. THEN start the session.

session_id($_GET['PHPSESSID']);
session_start();
relativityboy
  • 21
  • 1
2

Instead of hardcoding 'PHPSESSID', use this:

session_id($_GET[session_name()]);
Jérôme Verstrynge
  • 57,710
  • 92
  • 283
  • 453
Niloy Mondal
  • 21
  • 1
  • You will still need to know the session name yourself in order to pass it as a GET parameter, but it's a good way if you're dynamically defining the session name through a variable. – Achraf Almouloudi Apr 16 '15 at 14:35
0

Just a little correction ... Don't forget to check param if it exists. This worked for me well.

if (isset($_GET['PHPSESSID'])) {
  session_id($_GET['PHPSESSID']);
}
session_start();
Ruslan Kayumov
  • 11
  • 1