Session ID
From; https://www.php.net/manual/en/function.session-id.php
session_id
(PHP 4, PHP 5, PHP 7, PHP 8)
session_id — Get and/or set the current session id
Description
session_id(?string $id = null): string|false
session_id() is used to get or set the session id for the current session.
The constant SID can also be used to retrieve the current name and session
id as a string suitable for adding to URLs. See also Session handling.
Parameters
id
If id is specified and not null, it will replace the current session id.
session_id() needs to be called before session_start() for that purpose.
Depending on the session handler, not all characters are allowed within the
session id. For example, the file session handler only allows characters in
the range a-z A-Z 0-9 , (comma) and - (minus)!
Note: When using session cookies, specifying an id for session_id()
will always send a new cookie when session_start() is called, regardless if
the current session id is identical to the one being set.
Return Values
session_id() returns the session id for the current session or the empty
string ("") if there is no current session (no current session id exists).
On failure, false is returned.
Changelog
| Version | Description
|
| 8.0.0 | id is nullable now.
|
See Also
- session_regenerate_id() - Update the current session id with a newly
generated one
- session_start() - Start new or resume existing session
- session_set_save_handler() - Sets user-level session storage functions
- session.save_handler
User Contributed Notes 21 notes
Riikka K 8 years ago
It may be good to note that PHP does not allow arbitrary session ids. The
session id validation in PHP source is defined in ext/session/session.c in
the function php_session_valid_key:
https://github.com/php/php-src/blob/master/ext/session/session.c
To put it short, a valid session id may consists of digits, letters A to Z
(both upper and lower case), comma and dash. Described as a character class,
it would be [-,a-zA-Z0-9]. A valid session id may have the length between 1
and 128 characters. To validate session ids, the easiest way to do it use a
function like:
<?php
function session_valid_id($session_id)
{
return( preg_match('/^[-,a-zA-Z0-9]{1,128}$/', $session_id) > 0 );
}
?>
session_id() itself will happily accept invalid session ids, but if you try
to start a session using an invalid id, you will get the following error:
Warning: session_start(): The session id is too long or contains illegal
characters, valid characters are a-z, A-Z, 0-9 and '-,'
gmillikan at t1shopper dot com 8 years ago
session_id() URL-decodes the session value. For example let's say we use
setcookie() to push a cookie down to a web browser. When the browser makes
the next page request the browser sends the cookie back up to us with
headers like this: Cookie: PHPSESSID=enGHumY%2C-2De-F-TDzNHVmE%2ChY5;
If we use session_id() to read the cookie it will output a value of this:
enGHumY,-2De-F-TDzNHVmE,hY5
The two values don't match! Use either setrawcookie() or URL encode if you
wish to match the original value.
up
down
-8
ab at ixo point ca ¶
12 years ago
I was perplexed by inconsistent results with the session ID depending on
whether I retrieve it using SID, COOKIE, or session_id(). I have found that
session_id() is the most reliable method, whereas SID and
COOKIE["PHPSESSIONID"] are sometimes undefined.
I used this simple script to quickly test the problem on my servers:
session_id(): ".session_id()."
COOKIE:
".$_COOKIE["PHPSESSID"];
?>
Regardless of browser I see the COOKIE undefined on the first load and the
other two defined, then SID is empty on subsequent reloads and COOKIE is
defined, but session_id() is always defined.
If I insert the session_regenerate_id() method that jeff_zamrzla gives below
the refresh the page, I get a new session_id() but the COOKIE value is
initially the prior session_id() until I hit refresh a second time. So
again, session_id() proves to be the most reliable method.
It's probably not a bug since I found the behaviour to be consistent in PHP
versions 5.2.14, 5.3.3 and 5.3.4, but I can't figure what I'm missing and
hopefully this will help others who run into this.
up
down
-10
ohcc at 163 dot com ¶
6 years ago
When session.use_strict_mode is set to 1 or true, you cannot use
session_id($sid) to set the session id for the current session.
up
down
-6
Igor Oliveira Ferreira ¶
7 years ago
This can looks obvious, but as me, you can spend some hours to make a simple
session work between different browsers and devices. These are the basics
for me, but you can build upon.
up
down
-6
Shiji Jiang ¶
8 years ago
IMPORTANT NOTE:
If you assign a specific session ID to a user in your applet, then do not
run the following code either while logout,
session_regenerate_id(TRUE);
USE:
session_regenerate_id(); instead.
OTHERWISE, setting the session id will no longer works for that user.
up
down
-5
karlhaines at comcast dot net ¶
19 years ago
Rewriting URL's is not suggested for obvious security issues. Please be
careful with register_globals when using sessions! Check that all
information you recieve from a user is valid before accepting it!
up
down
-11
dmeweb at dibsplace dot com ¶
12 years ago
If you look at the notes on cookies (set_cookie I think), you will see that
you can not read a cookie on the page that it is set. That is because the
cookies are sent with the page request which comes, of course, before your
PHP is run. You have to wait until the next page request from the same
source to read the cookie.
up
down
-10
Anonymous ¶
16 years ago
Regarding Colin's comment, note that setting hash_bits_per_character to 5
results in characters ranging from 0-9 and a-v. Most attackers would be wise
enough to realize what was going on when they saw a letter in g-v. The
probability of not seeing a letter in g-v is somewhere around 2^-32.
up
down
-11
Drugelis, Lietuva ¶
12 years ago
I had a lot of trouble with session_regenerate_id() as it did not
regenerate... Session_id() stayed the same no matter what (unless closing
the window). I wanted to have different sid and empty vars for each
session/page meeting a condition for security reasons. Finally, this
worked:
Now you get different sid and session variables empty for each session_start
if condition is met (i.e. user hits refresh on user/password form, which I
needed badly :). Hope this helps someone out there.
Env: localhost
Note: condition is mandatory, otherwise it destroys on each load.
up
down
-11
hela69 ¶
5 years ago
The call session_id(null) and session_id() provides not the same result. It
is imperative to pass no parameters to get correct results.
up
down
-11
simon at quo dot com dot au ¶
17 years ago
Length of PHPSESSID appears to be 32 characters by default.
up
down
-14
Colin ¶
16 years ago
The higher you set session.hash_bits_per_character the shorter your
session_id will become by using more bits per character. The possible values
are 4, 5, or 6.
When using sha-1 for hashing (by setting ini_set('session.hash_function', 1)
the following session string lengths are produced by the three
session.hash_bits_per_character settings:
4 - 40 character string
5 - 32 character string
6 - 27 character string
It would seem desirable to use sha-l with 5 bits_per_character because this
will emulate a standard 32 character md5 string and make a would-be attacker
think that is what you're hashing with.
up
down
-12
Anonymous ¶
16 years ago
In response to simon at quo dot com dot au:
The PHPSESSID is produced using an hash function. By default, it uses MD5
which produces 128 bits long (i.e: 16 bytes long) hashes.
But, since some bytes' values may not be used in the HTTP header, PHP
outputs the hash in its hexadecimal representation, thus resulting in a 32
bytes long text.
Starting with PHP 5.0, you can change the hash function used (by setting
"session.hash_function" to whatever function you want to use in php.ini).
You may for example set it to 1 to switch to SHA-1 which produces 160 bits
(20 bytes) long hashes.
Please also note that another setting was introduced in PHP 5
(session.hash_bits_per_character) which sort of "compresses" the hash. Thus,
resulting in what seems to be a shorter hash.
This feature helps you improve your application's security by producing IDs
that are harder to prodict for a malicious attacker.
More information on those settings is provided on:
http://www.php.net/manual/en/ref.session.php
up
down
-20
Dario Gomes ¶
11 years ago
Gosh, took a LOOONG time to figure this one out! If you have suhosin built
into your PHP and can't get sessions to work after changing the session id
through session_id(), try turning off suhosin's session encryption option in
php.ini with:
suhosin.session.encrypt=Off
up
down
-22
cbarnes at bfinity dot net ¶
18 years ago
Note that Firefox and Mozilla use the same process for launching new windows
or tabs, they will pick up the same session id as the previous windows until
the parent process dies or is closed. This may cause undesired results if
the session id is stored in a db and checked, a solution is to check at the
new entry point (new tab or window if the user went back to the index page)
for an existing session. If a session id exists and a new one is required
use something like:
up
down
-17
jpjounier at hotmail dot com ¶
17 years ago
About the note from Cybertinus :
The following test doesn't work, the code following is always executed :
up
down
-19
Axel ¶
15 years ago
The documentation for session_id is incomplete when it says:
"For example, the file session handler only allows characters in the range a
-z, A-Z and 0-9!".
It is untrue when changing the default for the sessi
on.hash_bits_per_character as Colin said. session_id may therefore contain "
-" and ",".
http://fr.php.net/manual/en/session.configuration.php
up
down
-23
Francois ¶
12 years ago
In php version 5.3.2 in my case each time a new session-id was generated
after session_start() but all was working before correctly in previous
versions. So I lost data from my current session (wrong session-id). There
was always a $_POST or $_GET or $_COOKIE available with the session-name and
session-id, so session_start() was taken this automatically. Now I have to
execute session_id(..old id ..) before session_start() and a session is
started for the same id.
up
down
-20
Andi, info at pragmaMx dot org ¶
20 years ago
you can also add the iframe tag:
ini_set("url_rewriter.tags", "a=href,area=href,frame
=src,iframe=src,input=src,form=fakeentry");
up
down
-36
infinito84 at gmail dot com ¶
9 years ago
Get a shared session.
Sometimes is good can interchange messages and vars between one session and
another, but PHP dont support this. I create this script that allows with
session_id() change from current session to shared session (this is, info
with scope to all sessions) for read and write info and back in to user
session. The code:
Value: ".rand(0,100)." SessionID: $id
";
//Save the superglobal
set_global("test",$test);
//Show the superglobal
foreach($test as $t){
echo $t;
}
echo "Reloads = ".$_SESSION['count'].", This my color";
exit;
?>