Web Analytics Made Easy -
StatCounter HELP!!! Generate New Session_id() - CodingForum

Announcement

Collapse
No announcement yet.

HELP!!! Generate New Session_id()

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • HELP!!! Generate New Session_id()

    Hi everyone,
    i want to generate a new session_id() when i open a new page....
    i know a session_id() is create when we use session_start() at the beginning of the page, and when we click on a popup window, that window will use the same session_id() untill all window is close....

    Currently i use session_regenerate_id() to generate a new session_id(), example: old session_id = 99999 then after generate new session_id become 33333.
    But the new session_id only use on the current page when i open up a popup window, the session_id() become the old session_id() which is what i dont want.

    can anyone help me solve this problem?? i want to use the new generate session_id() on the new open window rather that the old session_id().

    Thanks.

    Here is my code:
    <?php
    session_start();

    $old_sessionid = session_id();

    session_regenerate_id();

    $new_sessionid = session_id();

    echo "Old Session: $old_sessionid<br />";
    echo "New Session: $new_sessionid<br />";

    ?>

    <html>

    <head>
    <meta http-equiv="content-type" content="text/html;charset=iso-8859-1">
    <meta name="generator" content="Adobe GoLive">
    <title>GAM Login Page</title>
    </head>

    <body bgcolor="#ffffff">
    <br>Request Page
    <p>
    <a href="MultipleLoginTest.php" onClick="window.open(‘Test.php’);"> go</a>
    </body>
    </html>

  • #2
    Hi, BlueHippo

    you can first remove the session first, then assign new value to the session ID

    Comment


    • #3
      Thanks for reply cf2sg

      Remove the current Session_id(), do u mean use session_destroy() to remove??

      then how do i reasign the session_id?? with just generate a new one the store to session_id() with code:

      <?php
      session_start();

      $old_sessionid = session_id();
      session_destroy();

      session_regenerate_id();

      $new_sessionid = session_id();

      echo "Old Session: $old_sessionid<br />";
      echo "New Session: $new_sessionid<br />";

      ?>

      Then the $new_sessionid will become NULL....
      then how do i reassign back the session_id() value??

      Comment


      • #4
        yeap exactly

        can you use $_SESSION as the global register variable

        Comment


        • #5
          u mean use $_session to store the new generate session_id??

          emmmm.....then how about the new generate session_id?? it already been destroy when i use the session_destroy().....

          Thanks for ur advice....

          Comment


          • #6
            I'm confused by your problem. You have this:
            original id: 41b93583e1c9fb214ab846605c53ffa6
            new id: 565ee75fa3a0c8092d766dcd158085bf
            When you click on the window to open, your output is like so:
            current id: 41b93583e1c9fb214ab846605c53ffa6
            ?
            Thats odd.
            Here, try with something like so. It will mearly point back to itself and regenerate the id only from the main page:
            PHP Code:
            <?php 
            error_reporting
            (E_ALL);

            session_start();
            $original '';
            $new '';
            $original session_id();

            if (!isset(
            $_GET['regenerate']))
            {
                
            session_regenerate_id();
                
            $new session_id();
            }
            echo 
            '<br />Original ID: ' $original;
            echo 
            '<br />New ID: ' $new '<br />';

            echo 
            '<br />Possible SID: ' SID;

            echo 
            '<br /><br />';
            echo 
            '<a href="#" onclick="window.open(\'' $_SERVER['SCRIPT_NAME'] . '?regenerate\');">Clicker</a>';
            ?>
            Nice and simple. If SID has a value to it, you must ensure that your session.enable_trans_sid is enabled, otherwise it will always create a new session (if SID constant is not appended to a url manually).
            Next to this, if this value is empty you are passing your values via cookie method. Here is the tricky part to it. If your php version < 4.3.3, you will need to manually set a new cookie for the new session_id as regenerate_session_id() will not complete this task for you.
            Last edited by Fou-Lu; Aug 3, 2005, 12:11 AM.
            PHP Code:
            header('HTTP/1.1 420 Enhance Your Calm'); 
            Been gone for a few months, and haven't programmed in that long of a time. Meh, I'll wing it ;)

            Comment


            • #7
              Thanks for ur reply Fou-Lu

              I had try ur code.....and there is the result:

              ==========================================
              Original ID: 509f54ec6e1e8b59559eabb41addef08
              New ID: 8ee98eb1bf58209c311698aac8354b08

              Possible SID:

              Clicker
              ==========================================

              then when i click on Clicker, it will become that:

              ==========================================
              Original ID: 509f54ec6e1e8b59559eabb41addef08
              New ID:

              Possible SID:

              Clicker
              ==========================================

              Why i want to generate a new session_id():
              when a user login, i want to give them a new session_id() and they can use it for the rest of the page.....so the session_id need to be different from the login page.

              for example:

              Login(session_idA)
              -> Generate -> User1(sessionB) ->Open popup window(sessionB)
              -> Generate -> User2(sessionC) ->Open popup window(sessionC)

              Comment


              • #8
                Hi Bluehippo,
                I assume than that your desired id would be: 8ee98eb1bf58209c311698aac8354b08 correct?
                Than it seems here that there are one of two problems. Either your cookies are stale in your browser (as in, they won't go away or reset themselves for one reason or another), or your php version is < 4.3.3. You can check this like so:
                echo PHP_VERSION;
                To see what it would be. If it is less than this, you will need to setcookie() for your new session id.
                You may also consider destroying your old sessions in order to prevent it from possible future hijacking.
                PHP Code:
                header('HTTP/1.1 420 Enhance Your Calm'); 
                Been gone for a few months, and haven't programmed in that long of a time. Meh, I'll wing it ;)

                Comment


                • #9
                  thanks Fou-Lu, i think u are right.

                  i had check the php version, is 4.3.2....so i need to manually delete the cookies and destroy the session??

                  Can u give me some example, cause i never use cookies before.....

                  thanks a lotz.

                  Comment


                  • #10
                    Whew, we're getting lucky here, session_regenerate_id has only been available since 4.3.2, so thats good. I didn't really want to make a session regeneration code for it :P
                    Now, its tough for me to say for sure that this will work, as it could be the way my 4.3.8 (I think it is...) handles it. Personally, I like the way my php5.x handles it instead, deletes it all for you
                    Anyway, give this one a shot, let me know. I found this on php.net's user comments section, put it to the test and it works fine:
                    PHP Code:
                    <?php 
                    error_reporting
                    (E_ALL);
                    // I'm putting the directive in, in case they are not set.  This allows users to go without cookies as well:
                    ini_set('session.use_cookies''1');
                    ini_set('session.use_only_cookies''0');
                    ini_set('session.use_trans_sid''1');
                    session_start();

                    $oldsession session_id();

                    session_regenerate_id();
                    $newsession session_id();
                    session_id($oldsession);
                    session_destroy();

                    $old_session $_SESSION;
                    session_id($newsession);
                    session_start();
                    $_SESSION $old_session;
                    setcookie(session_name(), session_id(), NULL'/');

                    ?>
                    <html> 

                    <head> 
                    <meta http-equiv="content-type" content="text/html;charset=iso-8859-1"> 
                    <meta name="generator" content="Adobe GoLive"> 
                    <title>GAM Login Page</title> 
                    </head> 

                    <body bgcolor="#ffffff"> 
                    <br>Request Page 
                    <p> 
                    <a href="MultipleLoginTest.php" onClick="window.open(‘Test.php<?php echo SID;?>');"> go</a> 
                    </body> 
                    </html>
                    Now, the danger will be as follows. Should there still be set a session id in the original page, or if the user clicks back on their browser and has their cookies off, it will copy a new session id. This in itself isn't a problem, but now you have two seperate files. The main problem is that should they do this, the initial values of $_SESSION will replace any new ones which you wanted to use with the new session. However, using a form with a POST method could probably resolve this issue. Otherwise, I'd remove from the top the ini set features and replace them with:
                    ini_set('session.use_cookies', '1');
                    ini_set('session.use_only_cookies', '1');
                    And inform your users that they must have at least session cookies available on their system. This will eliminate your need to use a querystring to append the session id.
                    Wow, I thought before that you really couldn't have much problem with the querystring method (so long as you are securing), but this is obviously a case that you can.
                    PHP Code:
                    header('HTTP/1.1 420 Enhance Your Calm'); 
                    Been gone for a few months, and haven't programmed in that long of a time. Meh, I'll wing it ;)

                    Comment


                    • #11
                      Hi Fou-Lu,

                      Thanks for the example

                      The example really work, It really work

                      I use ini_set('session.use_cookies', '1'); ini_set('session.use_only_cookies', '1'); because I doesn’t use the POST method… and it works. It change the old session into the new session id in the session_id().
                      And when I click on the popup window, the session id use back the new generate session id which is create on previous page(it doesn’t use back the old one or recreate a new one), which is perfect.

                      Thank u so much Fou-Lu, u are so PRO. lol

                      Comment


                      • #12
                        Hi Fou-Lu,

                        hehe....sorry for the troublesome.....i just find out problem with that script....

                        Previously i said the code can generate a new session_id() and replace the old session_id(). but now here is the problem.....

                        (using the same window to login)
                        when i login as userA[Login Page], 'then open new window'
                        -> GenerateId -> User1(sessionB)[Menu Page] ->Open popup window(sessionB)

                        then when i login as userB[Login Page], 'then open new window'
                        -> GenerateId -> User2(sessionC)[Menu Page] ->Open popup window(sessionC)

                        But when i refresh the userA page, the sessionB will change to sessionC.....

                        oh.....me want to fainted now.... Can help me with this??
                        Thanks

                        Comment


                        • #13
                          You cannot login as two seperate users with this method on, not only the same browser window, but the same browser completely.
                          Since your sessions are not checking for validity prior to allowing its use, it will accept the cookie value as its set.
                          User A login (COOKIE SET), REGENERATE (COOKIE ALTERED)
                          User B login (COOKIE SET, but since COOKIE exists, it will be altered), REGENERATE (COOKIE ALTERED)
                          Your browser now has User B cookies set to it. So refreshing of User A will always result in the setting of COOKIE B, as the cookie name is identified by your php session_name() value. Try turning your cookies off and testing it, you will see what I mean (remember to set your ini_set functions for use_cookies=1, use_only_cookies=0, use_trans_sid=1 to test it). The appended url should pass correctly without the changing of users.

                          So long as your using cookies to browse with sessions (which I would always recommend, far easier to control), this will always happen. Think of it as not being a bug, but a feature of php. The browser has explicitly set itself as being a new user, and therefore should only have access to what the new user is available to. In otherwords, it is removing itself from the ability to access the original users session. The only downside of this is, that your sessins file will not be removed by php. However, your php should be set up for garbage collection and get rid of it shortly after that.

                          Edit:
                          Thought I'd mention as well - to my knowledge there is no 'cookie' way around this. The only way to solve such a problem is by using URL passed session parameters instead, but you need to be careful to validate this extensivly to avoid a session hijack.
                          As well, the code I posted for you will work with cookies off, its as I mentioned though, since the appended session paramaters are different, you would lose the new $_SESSION values that you may have inserted. There are always ways around this as well, should you like to offer your clients cookieless browsing.
                          Last edited by Fou-Lu; Aug 4, 2005, 01:25 AM.
                          PHP Code:
                          header('HTTP/1.1 420 Enhance Your Calm'); 
                          Been gone for a few months, and haven't programmed in that long of a time. Meh, I'll wing it ;)

                          Comment

                          Working...
                          X