Passing the Session ID
There are two methods to propagate a session id:
The session module supports both methods. Cookies are optimal, but
because they are not always available, we also provide an alternative
way. The second method embeds the session id directly into URLs.
PHP is capable of transforming links transparently. If the run-time
option session.use_trans_sid
is enabled, relative
URIs will be changed to contain the session id automatically.
Note:
The arg_separator.output
php.ini directive allows to customize the argument separator. For full
XHTML conformance, specify & there.
Alternatively, you can use the constant SID
which is
defined if the session started. If the client did not send an appropriate session
cookie, it has the form session_name=session_id
.
Otherwise, it expands to an empty string. Thus, you can embed it
unconditionally into URLs.
The following example demonstrates how to register a variable, and
how to link correctly to another page using SID
.
Example #1 Counting the number of hits of a single user
<?php
session_start();
if (empty($_SESSION['count'])) {
$_SESSION['count'] = 1;
} else {
$_SESSION['count']++;
}
?>
<p>
Hello visitor, you have seen this page <?php echo $_SESSION['count']; ?> times.
</p>
<p>
To continue, <a href="nextpage.php?<?php echo htmlspecialchars(SID); ?>">click
here</a>.
</p>
The htmlspecialchars may be used when printing the SID
in order to prevent XSS related attacks.
Printing the SID
, like shown above, is not necessary if
--enable-trans-sid was used to compile PHP.
Note:
Non-relative URLs are assumed to point to external sites and
hence don't append the SID
, as it would be a security risk to
leak the SID
to a different server.