goba Sun Jul 28 10:04:32 2002 EDT
Added files:
/phpdoc/en/reference/session constants.xml
Modified files:
/phpdoc/en/reference/session reference.xml
Log:
Adding constants here and applied new structure
Index: phpdoc/en/reference/session/reference.xml
diff -u phpdoc/en/reference/session/reference.xml:1.7
phpdoc/en/reference/session/reference.xml:1.8
--- phpdoc/en/reference/session/reference.xml:1.7 Fri Jun 14 09:34:07 2002
+++ phpdoc/en/reference/session/reference.xml Sun Jul 28 10:04:32 2002
@@ -1,85 +1,289 @@
<?xml version="1.0" encoding="iso-8859-1"?>
-<!-- $Revision: 1.7 $ -->
+<!-- $Revision: 1.8 $ -->
<reference id="ref.session">
<title>Session handling functions</title>
<titleabbrev>Sessions</titleabbrev>
<partintro>
- <para>
- Session support in PHP consists of a way to preserve certain data
- across subsequent accesses. This enables you to build more
- customized applications and increase the appeal of your web site.
- </para>
- <para>
- If you are familiar with the session management of PHPLIB, you
- will notice that some concepts are similar to PHP's session
- support.
- </para>
- <para>
- A visitor accessing your web site is assigned an unique id, the
- so-called session id. This is either stored in a cookie on the
- user side or is propagated in the URL.
- </para>
- <para>
- The session support allows you to register arbitrary numbers of
- variables to be preserved across requests. When a visitor accesses
- your site, PHP will check automatically (if session.auto_start is
- set to 1) or on your request (explicitly through
- <function>session_start</function> or implicitly through
- <function>session_register</function>) whether a specific session
- id has been sent with the request. If this is the case, the prior
- saved environment is recreated.
- </para>
- <para>
- All registered variables are serialized after the request
- finishes. Registered variables which are undefined are marked as
- being not defined. On subsequent accesses, these are not defined
- by the session module unless the user defines them later.
- </para>
- <para>
- The <link
- linkend="ini.track-vars"><literal>track_vars</literal></link> and
- <link
- linkend="ini.register-globals"><literal>register_globals</literal></link>
- configuration settings influence how the session variables get
- stored and restored.
- </para>
+
+ <section id="session.intro">
+ &reftitle.intro;
+ <para>
+ Session support in PHP consists of a way to preserve certain data
+ across subsequent accesses. This enables you to build more
+ customized applications and increase the appeal of your web site.
+ </para>
+ <para>
+ If you are familiar with the session management of PHPLIB, you
+ will notice that some concepts are similar to PHP's session
+ support.
+ </para>
+ <para>
+ A visitor accessing your web site is assigned an unique id, the
+ so-called session id. This is either stored in a cookie on the
+ user side or is propagated in the URL.
+ </para>
+ <para>
+ The session support allows you to register arbitrary numbers of
+ variables to be preserved across requests. When a visitor accesses
+ your site, PHP will check automatically (if session.auto_start is
+ set to 1) or on your request (explicitly through
+ <function>session_start</function> or implicitly through
+ <function>session_register</function>) whether a specific session
+ id has been sent with the request. If this is the case, the prior
+ saved environment is recreated.
+ </para>
+ <para>
+ All registered variables are serialized after the request
+ finishes. Registered variables which are undefined are marked as
+ being not defined. On subsequent accesses, these are not defined
+ by the session module unless the user defines them later.
+ </para>
+ <note>
+ <para>
+ Session handling was added in PHP 4.0.
+ </para>
+ </note>
+ </section>
+
+ <section id="session.requirements">
+ &reftitle.required;
+ &no.requirement;
+ </section>
- <note>
+ <section id="session.installation">
+ &reftitle.install;
<para>
- As of PHP 4.0.3, <link
- linkend="ini.track-vars"><literal>track_vars</literal></link> is
- always turned on.
+ Session support is enabled in PHP by default. If you would
+ not like to build your PHP with session support, you should
+ specify the <option role="configure">--disable-session</option>
+ option to configure.
</para>
- </note>
- <note>
+ </section>
+
+ <section id="session.configuration">
+ &reftitle.runtime;
<para>
- As of PHP 4.1.0, <varname>$_SESSION</varname> is available as
- global variable just like <varname>$_POST</varname>,
- <varname>$_GET</varname>, <varname>$_REQUEST</varname> and so on.
- Not like <varname>$HTTP_SESSION_VARS</varname>,
- <varname>$_SESSION</varname> is always global. Therefore,
- <literal>global</literal> should not be used for
- <varname>$_SESSION</varname>.
+ The session management system supports a number of configuration
+ options which you can place in your &php.ini; file. We will give a
+ short overview.
+ <itemizedlist>
+ <listitem>
+ <simpara>
+ <literal>session.save_handler</literal> defines the name of the
+ handler which is used for storing and retrieving data
+ associated with a session. Defaults to
+ <literal>files</literal>.
+ </simpara>
+ </listitem>
+ <listitem>
+ <simpara>
+ <literal>session.save_path</literal> defines the argument which
+ is passed to the save handler. If you choose the default files
+ handler, this is the path where the files are created.
+ Defaults to <literal>/tmp</literal>. If
+ <literal>session.save_path</literal>'s path depth is more than
+ 2, garbage collection will not be performed.
+ </simpara>
+ <warning>
+ <para>
+ If you leave this set to a world-readable directory, such as
+ <filename>/tmp</filename> (the default), other users on the
+ server may be able to hijack sessions by getting the list of
+ files in that directory.
+ </para>
+ </warning>
+ </listitem>
+ <listitem>
+ <simpara>
+ <literal>session.name</literal> specifies the name of the
+ session which is used as cookie name. It should only contain
+ alphanumeric characters. Defaults to
+ <literal>PHPSESSID</literal>.
+ </simpara>
+ </listitem>
+ <listitem>
+ <simpara>
+ <literal>session.auto_start</literal> specifies whether the
+ session module starts a session automatically on request
+ startup. Defaults to <literal>0</literal> (disabled).
+ </simpara>
+ </listitem>
+ <listitem>
+ <simpara>
+ <literal>session.cookie_lifetime</literal> specifies the lifetime of
+ the cookie in seconds which is sent to the browser. The value 0
+ means "until the browser is closed." Defaults to
+ <literal>0</literal>.
+ </simpara>
+ </listitem>
+ <listitem>
+ <simpara>
+ <literal>session.serialize_handler</literal> defines the name
+ of the handler which is used to serialize/deserialize
+ data. Currently, a PHP internal format (name
+ <literal>php</literal>) and WDDX is supported (name
+ <literal>wddx</literal>). WDDX is only available, if PHP is
+ compiled with <link linkend="ref.wddx">WDDX
+ support</link>. Defaults to <literal>php</literal>.
+ </simpara>
+ </listitem>
+ <listitem>
+ <simpara>
+ <literal>session.gc_probability</literal> specifies the
+ probability that the gc (garbage collection) routine is started
+ on each request in percent. Defaults to <literal>1</literal>.
+ </simpara>
+ </listitem>
+ <listitem>
+ <simpara>
+ <literal>session.gc_maxlifetime</literal> specifies the number
+ of seconds after which data will be seen as 'garbage' and
+ cleaned up.
+ </simpara>
+ </listitem>
+ <listitem>
+ <simpara>
+ <literal>session.referer_check</literal> contains the substring you
+ want to check each HTTP Referer for. If the Referer was sent by the
+ client and the substring was not found, the embedded session id will
+ be marked as invalid. Defaults to the empty string.
+ </simpara>
+ </listitem>
+ <listitem>
+ <simpara>
+ <literal>session.entropy_file</literal> gives a path to an
+ external resource (file) which will be used as an additional
+ entropy source in the session id creation process. Examples are
+ <literal>/dev/random</literal> or
+ <literal>/dev/urandom</literal> which are available on many
+ Unix systems.
+ </simpara>
+ </listitem>
+ <listitem>
+ <simpara>
+ <literal>session.entropy_length</literal> specifies the number
+ of bytes which will be read from the file specified
+ above. Defaults to <literal>0</literal> (disabled).
+ </simpara>
+ </listitem>
+ <listitem>
+ <simpara>
+ <literal>session.use_cookies</literal> specifies whether the
+ module will use cookies to store the session id on the client
+ side. Defaults to <literal>1</literal> (enabled).
+ </simpara>
+ </listitem>
+ <listitem>
+ <simpara>
+ <literal>session.use_only_cookies</literal> specifies whether the
+ module will <emphasis role="strong">only</emphasis> use cookies to
+ store the session id on the client side. Defaults to
+ <literal>0</literal> (disabled, for backward compatibility). Enabling
+ this setting prevents attacks involved passing session ids in URLs.
+ This setting was added in <literal>PHP</literal> 4.3.0.
+ </simpara>
+ </listitem>
+ <listitem>
+ <simpara>
+ <literal>session.cookie_path</literal> specifies path to set
+ in session_cookie. Defaults to <literal>/</literal>.
+ </simpara>
+ </listitem>
+ <listitem>
+ <simpara>
+ <literal>session.cookie_domain</literal> specifies domain to
+ set in session_cookie. Default is none at all.
+ </simpara>
+ </listitem>
+ <listitem>
+ <simpara>
+ <literal>session.cache_limiter</literal> specifies cache
+ control method to use for session pages
+ (none/nocache/private/private_no_expire/public). Defaults to
+ <literal>nocache</literal>.
+ </simpara>
+ </listitem>
+ <listitem>
+ <simpara>
+ <literal>session.cache_expire</literal> specifies time-to-live
+ for cached session pages in minutes, this has no effect for
+ nocache limiter. Defaults to <literal>180</literal>.
+ </simpara>
+ </listitem>
+ <listitem>
+ <simpara>
+ <literal>session.use_trans_sid</literal> whether transparent sid support
+ is enabled or not if enabled by compiling with
+ <link linkend="install.configure.enable-trans-sid">
+ <literal>--enable-trans-sid</literal></link>.
+ Defaults to <literal>1</literal> (enabled).
+ </simpara>
+ </listitem>
+ <listitem>
+ <simpara>
+ <literal>url_rewriter.tags</literal> spefifies which html tags are
+ rewritten to include session id if transparent sid support is enabled.
+ Defaults to
+<literal>a=href,area=href,frame=src,input=src,form=fakeentry</literal>
+ </simpara>
+ </listitem>
+ </itemizedlist>
+ </para>
+ <para>
+ The <link
+ linkend="ini.track-vars"><literal>track_vars</literal></link> and
+ <link
+ linkend="ini.register-globals"><literal>register_globals</literal></link>
+ configuration settings influence how the session variables get
+ stored and restored.
</para>
- </note>
- <para>
- If <link
- linkend="ini.track-vars"><literal>track_vars</literal></link> is
- enabled and <link
- linkend="ini.register-globals"><literal>register_globals</literal></link>
- is disabled, only members of the global associative array
- <varname>$HTTP_SESSION_VARS</varname> can be registered as session
- variables. The restored session variables will only be available
- in the array <varname>$HTTP_SESSION_VARS</varname>.
- <example>
- <title>
- Registering a variable with <link
- linkend="ini.track-vars"><literal>track_vars</literal></link>
- enabled
- </title>
- <programlisting role="php">
+ <note>
+ <para>
+ As of PHP 4.0.3, <link
+ linkend="ini.track-vars"><literal>track_vars</literal></link> is
+ always turned on.
+ </para>
+ </note>
+ </section>
+
+ <section id="session.resources">
+ &reftitle.resources;
+ &no.resource;
+ </section>
+
+ &reference.session.constants;
+
+ <section id="session.examples">
+ &reftitle.examples;
+ <note>
+ <para>
+ As of PHP 4.1.0, <varname>$_SESSION</varname> is available as
+ global variable just like <varname>$_POST</varname>,
+ <varname>$_GET</varname>, <varname>$_REQUEST</varname> and so on.
+ Not like <varname>$HTTP_SESSION_VARS</varname>,
+ <varname>$_SESSION</varname> is always global. Therefore,
+ <literal>global</literal> should not be used for
+ <varname>$_SESSION</varname>.
+ </para>
+ </note>
+
+ <para>
+ If <link
+ linkend="ini.track-vars"><literal>track_vars</literal></link> is
+ enabled and <link
+ linkend="ini.register-globals"><literal>register_globals</literal></link>
+ is disabled, only members of the global associative array
+ <varname>$HTTP_SESSION_VARS</varname> can be registered as session
+ variables. The restored session variables will only be available
+ in the array <varname>$HTTP_SESSION_VARS</varname>.
+ <example>
+ <title>
+ Registering a variable with <link
+ linkend="ini.track-vars"><literal>track_vars</literal></link>
+ enabled
+ </title>
+ <programlisting role="php">
<![CDATA[
<?php
session_start();
@@ -91,23 +295,23 @@
}
?>
]]>
- </programlisting>
- </example>
- </para>
- <para>
- Use of <varname>$_SESSION</varname> (or
- <varname>$HTTP_SESSION_VARS</varname> with PHP 4.0.6 or less) is
- recommended for security and code readablity. With
- <varname>$_SESSION</varname> or
- <varname>$HTTP_SESSION_VARS</varname>, there is no need to use
- session_register()/session_unregister()/session_is_registered()
- functions. Users can access session variable like a normal
- variable.
- <example>
- <title>
- Registering a variable with $_SESSION.
- </title>
- <programlisting role="php">
+ </programlisting>
+ </example>
+ </para>
+ <para>
+ Use of <varname>$_SESSION</varname> (or
+ <varname>$HTTP_SESSION_VARS</varname> with PHP 4.0.6 or less) is
+ recommended for security and code readablity. With
+ <varname>$_SESSION</varname> or
+ <varname>$HTTP_SESSION_VARS</varname>, there is no need to use
+ session_register()/session_unregister()/session_is_registered()
+ functions. Users can access session variable like a normal
+ variable.
+ <example>
+ <title>
+ Registering a variable with $_SESSION.
+ </title>
+ <programlisting role="php">
<![CDATA[
<?php
session_start();
@@ -119,13 +323,13 @@
}
?>
]]>
- </programlisting>
- </example>
- <example>
- <title>
- Unregistering a variable with $_SESSION.
- </title>
- <programlisting role="php">
+ </programlisting>
+ </example>
+ <example>
+ <title>
+ Unregistering a variable with $_SESSION.
+ </title>
+ <programlisting role="php">
<![CDATA[
<?php
session_start();
@@ -133,46 +337,46 @@
unset($_SESSION['count']);
?>
]]>
- </programlisting>
- </example>
- </para>
- <para>
- If <link
- linkend="ini.register-globals"><literal>register_globals</literal></link>
- is enabled, then all global variables can be registered as session
- variables and the session variables will be restored to
- corresponding global variables. Since PHP must know which global
- variables are registered as session variables, users must register
- variables with session_register() function while
- <varname>$HTTP_SESSION_VARS</varname>/<varname>$_SESSION</varname>
- does not need to use session_register().
- <caution>
- <para>
- If you are using
- <varname>$HTTP_SESSION_VARS</varname>/<varname>$_SESSION</varname>
- and disable <link
- linkend="ini.register-globals"><literal>register_globals</literal></link>,
- do not use <function>session_register</function>,
- <function>session_is_registered</function> and
- <function>session_unregister</function>.
- </para>
- <para>
- If you enable <link
+ </programlisting>
+ </example>
+ </para>
+ <para>
+ If <link
+ linkend="ini.register-globals"><literal>register_globals</literal></link>
+ is enabled, then all global variables can be registered as session
+ variables and the session variables will be restored to
+ corresponding global variables. Since PHP must know which global
+ variables are registered as session variables, users must register
+ variables with session_register() function while
+ <varname>$HTTP_SESSION_VARS</varname>/<varname>$_SESSION</varname>
+ does not need to use session_register().
+ <caution>
+ <para>
+ If you are using
+ <varname>$HTTP_SESSION_VARS</varname>/<varname>$_SESSION</varname>
+ and disable <link
linkend="ini.register-globals"><literal>register_globals</literal></link>,
- <function>session_unregister</function> should be used since
- session variables are registered as global variables when
- session data is deserialized. Disabling <link
+ do not use <function>session_register</function>,
+ <function>session_is_registered</function> and
+ <function>session_unregister</function>.
+ </para>
+ <para>
+ If you enable <link
+ linkend="ini.register-globals"><literal>register_globals</literal></link>,
+ <function>session_unregister</function> should be used since
+ session variables are registered as global variables when
+ session data is deserialized. Disabling <link
+ linkend="ini.register-globals"><literal>register_globals</literal></link>
+ is recommended for both security and performance reason.
+ </para>
+ </caution>
+ <example>
+ <title>
+ Registering a variable with <link
linkend="ini.register-globals"><literal>register_globals</literal></link>
- is recommended for both security and performance reason.
- </para>
- </caution>
- <example>
- <title>
- Registering a variable with <link
- linkend="ini.register-globals"><literal>register_globals</literal></link>
- enabled
- </title>
- <programlisting role="php">
+ enabled
+ </title>
+ <programlisting role="php">
<![CDATA[
<?php
if (!session_is_registered('count')) {
@@ -184,69 +388,73 @@
}
?>
]]>
- </programlisting>
- </example>
- </para>
- <para>
- If both <link
- linkend="ini.track-vars"><literal>track_vars</literal></link> and
- <link
- linkend="ini.register-globals"><literal>register_globals</literal></link>
- are enabled, then the globals variables and the
- <varname>$HTTP_SESSION_VARS</varname>/<varname>$_SESSION</varname>
- entries will reference the same value for already registered
- variables.
- </para>
- <para>
- If user use session_register() to register session variable,
- <varname>$HTTP_SESSION_VARS</varname>/<varname>$_SESSION</varname>
- will not have these variable in array until it is loaded from
- session storage. (i.e. until next request)
- </para>
- <para>
- There are two methods to propagate a session id:
- <itemizedlist>
- <listitem>
- <simpara>
- Cookies
- </simpara>
- </listitem>
- <listitem>
- <simpara>
- URL parameter
- </simpara>
- </listitem>
- </itemizedlist>
- </para>
- <para>
- The session module supports both methods. Cookies are optimal, but
- since they are not reliable (clients are not bound to accept
- them), we cannot rely on them. The second method embeds the
- session id directly into URLs.
- </para>
- <para>
- PHP is capable of doing this transparently when compiled with
- <link linkend="install.configure.enable-trans-sid">
- <literal>--enable-trans-sid</literal></link>. If you enable this option,
- relative URIs will be changed to contain the session id
- automatically. Alternatively, you can use the constant
- <literal>SID</literal> which is defined, if the client did not
- send the appropriate cookie. <literal>SID</literal> is either of
- the form <literal>session_name=session_id</literal> or is an empty
- string.
- <note>
- <para>
- The <link linkend="ini.arg_separator.output">arg_separator.output</link>
- &php.ini; directive allows to customize the argument seperator.
- </para>
- </note>
- </para>
- <para>
- The following example demonstrates how to register a variable, and
- how to link correctly to another page using SID.
- <example>
- <title>Counting the number of hits of a single user</title>
- <programlisting role="php">
+ </programlisting>
+ </example>
+ </para>
+ <para>
+ If both <link
+ linkend="ini.track-vars"><literal>track_vars</literal></link> and
+ <link
+ linkend="ini.register-globals"><literal>register_globals</literal></link>
+ are enabled, then the globals variables and the
+ <varname>$HTTP_SESSION_VARS</varname>/<varname>$_SESSION</varname>
+ entries will reference the same value for already registered
+ variables.
+ </para>
+ <para>
+ If user use session_register() to register session variable,
+ <varname>$HTTP_SESSION_VARS</varname>/<varname>$_SESSION</varname>
+ will not have these variable in array until it is loaded from
+ session storage. (i.e. until next request)
+ </para>
+ </section>
+
+ <section id="session.idpassing">
+ <title>Passing the Session ID</title>
+ <para>
+ There are two methods to propagate a session id:
+ <itemizedlist>
+ <listitem>
+ <simpara>
+ Cookies
+ </simpara>
+ </listitem>
+ <listitem>
+ <simpara>
+ URL parameter
+ </simpara>
+ </listitem>
+ </itemizedlist>
+ </para>
+ <para>
+ The session module supports both methods. Cookies are optimal, but
+ since they are not reliable (clients are not bound to accept
+ them), we cannot rely on them. The second method embeds the
+ session id directly into URLs.
+ </para>
+ <para>
+ PHP is capable of doing this transparently when compiled with
+ <link linkend="install.configure.enable-trans-sid">
+ <literal>--enable-trans-sid</literal></link>. If you enable this option,
+ relative URIs will be changed to contain the session id
+ automatically. Alternatively, you can use the constant
+ <literal>SID</literal> which is defined, if the client did not
+ send the appropriate cookie. <literal>SID</literal> is either of
+ the form <literal>session_name=session_id</literal> or is an empty
+ string.
+ <note>
+ <para>
+ The <link linkend="ini.arg_separator.output">arg_separator.output</link>
+ &php.ini; directive allows to customize the argument seperator.
+ </para>
+ </note>
+ </para>
+ <para>
+ The following example demonstrates how to register a variable, and
+ how to link correctly to another page using SID.
+ <example>
+ <title>Counting the number of hits of a single user</title>
+ <programlisting role="php">
<![CDATA[
<?php
if (!session_is_registered('count')) {
@@ -268,197 +476,31 @@
To continue, <A HREF="nextpage.php?<?php echo SID?>">click here</A>
]]>
- </programlisting>
- </example>
- </para>
- <para>
- The <literal><?=SID?></literal> is not necessary, if
- <link linkend="install.configure.enable-trans-sid">
- <literal>--enable-trans-sid</literal></link> was used to compile PHP.
- </para>
- <note>
- <para>
- Non-relative URLs are assumed to point to external sites and
- hence don't append the SID, as it would be a security risk to
- leak the SID to a different server.
- </para>
- </note>
- <para>
- To implement database storage, or any other storage method, you
- will need to use <function>session_set_save_handler</function> to
- create a set of user-level storage functions.
- </para>
- <para>
- The session management system supports a number of configuration
- options which you can place in your &php.ini; file. We will give a
- short overview.
- <itemizedlist>
- <listitem>
- <simpara>
- <literal>session.save_handler</literal> defines the name of the
- handler which is used for storing and retrieving data
- associated with a session. Defaults to
- <literal>files</literal>.
- </simpara>
- </listitem>
- <listitem>
- <simpara>
- <literal>session.save_path</literal> defines the argument which
- is passed to the save handler. If you choose the default files
- handler, this is the path where the files are created.
- Defaults to <literal>/tmp</literal>. If
- <literal>session.save_path</literal>'s path depth is more than
- 2, garbage collection will not be performed.
- </simpara>
- <warning>
- <para>
- If you leave this set to a world-readable directory, such as
- <filename>/tmp</filename> (the default), other users on the
- server may be able to hijack sessions by getting the list of
- files in that directory.
- </para>
- </warning>
- </listitem>
- <listitem>
- <simpara>
- <literal>session.name</literal> specifies the name of the
- session which is used as cookie name. It should only contain
- alphanumeric characters. Defaults to
- <literal>PHPSESSID</literal>.
- </simpara>
- </listitem>
- <listitem>
- <simpara>
- <literal>session.auto_start</literal> specifies whether the
- session module starts a session automatically on request
- startup. Defaults to <literal>0</literal> (disabled).
- </simpara>
- </listitem>
- <listitem>
- <simpara>
- <literal>session.cookie_lifetime</literal> specifies the lifetime of
- the cookie in seconds which is sent to the browser. The value 0
- means "until the browser is closed." Defaults to
- <literal>0</literal>.
- </simpara>
- </listitem>
- <listitem>
- <simpara>
- <literal>session.serialize_handler</literal> defines the name
- of the handler which is used to serialize/deserialize
- data. Currently, a PHP internal format (name
- <literal>php</literal>) and WDDX is supported (name
- <literal>wddx</literal>). WDDX is only available, if PHP is
- compiled with <link linkend="ref.wddx">WDDX
- support</link>. Defaults to <literal>php</literal>.
- </simpara>
- </listitem>
- <listitem>
- <simpara>
- <literal>session.gc_probability</literal> specifies the
- probability that the gc (garbage collection) routine is started
- on each request in percent. Defaults to <literal>1</literal>.
- </simpara>
- </listitem>
- <listitem>
- <simpara>
- <literal>session.gc_maxlifetime</literal> specifies the number
- of seconds after which data will be seen as 'garbage' and
- cleaned up.
- </simpara>
- </listitem>
- <listitem>
- <simpara>
- <literal>session.referer_check</literal> contains the substring you
- want to check each HTTP Referer for. If the Referer was sent by the
- client and the substring was not found, the embedded session id will
- be marked as invalid. Defaults to the empty string.
- </simpara>
- </listitem>
- <listitem>
- <simpara>
- <literal>session.entropy_file</literal> gives a path to an
- external resource (file) which will be used as an additional
- entropy source in the session id creation process. Examples are
- <literal>/dev/random</literal> or
- <literal>/dev/urandom</literal> which are available on many
- Unix systems.
- </simpara>
- </listitem>
- <listitem>
- <simpara>
- <literal>session.entropy_length</literal> specifies the number
- of bytes which will be read from the file specified
- above. Defaults to <literal>0</literal> (disabled).
- </simpara>
- </listitem>
- <listitem>
- <simpara>
- <literal>session.use_cookies</literal> specifies whether the
- module will use cookies to store the session id on the client
- side. Defaults to <literal>1</literal> (enabled).
- </simpara>
- </listitem>
- <listitem>
- <simpara>
- <literal>session.use_only_cookies</literal> specifies whether the
- module will <emphasis role="strong">only</emphasis> use cookies to
- store the session id on the client side. Defaults to
- <literal>0</literal> (disabled, for backward compatibility). Enabling
- this setting prevents attacks involved passing session ids in URLs.
- This setting was added in <literal>PHP</literal> 4.3.0.
- </simpara>
- </listitem>
- <listitem>
- <simpara>
- <literal>session.cookie_path</literal> specifies path to set
- in session_cookie. Defaults to <literal>/</literal>.
- </simpara>
- </listitem>
- <listitem>
- <simpara>
- <literal>session.cookie_domain</literal> specifies domain to
- set in session_cookie. Default is none at all.
- </simpara>
- </listitem>
- <listitem>
- <simpara>
- <literal>session.cache_limiter</literal> specifies cache
- control method to use for session pages
- (none/nocache/private/private_no_expire/public). Defaults to
- <literal>nocache</literal>.
- </simpara>
- </listitem>
- <listitem>
- <simpara>
- <literal>session.cache_expire</literal> specifies time-to-live
- for cached session pages in minutes, this has no effect for
- nocache limiter. Defaults to <literal>180</literal>.
- </simpara>
- </listitem>
- <listitem>
- <simpara>
- <literal>session.use_trans_sid</literal> whether transparent sid support
- is enabled or not if enabled by compiling with
- <link linkend="install.configure.enable-trans-sid">
- <literal>--enable-trans-sid</literal></link>.
- Defaults to <literal>1</literal> (enabled).
- </simpara>
- </listitem>
- <listitem>
- <simpara>
- <literal>url_rewriter.tags</literal> spefifies which html tags are
- rewritten to include session id if transparent sid support is enabled.
- Defaults to
<literal>a=href,area=href,frame=src,input=src,form=fakeentry</literal>
- </simpara>
- </listitem>
- </itemizedlist>
+ </programlisting>
+ </example>
+ </para>
+ <para>
+ The <literal><?=SID?></literal> is not necessary, if
+ <link linkend="install.configure.enable-trans-sid">
+ <literal>--enable-trans-sid</literal></link> was used to compile PHP.
+ </para>
<note>
<para>
- Session handling was added in PHP 4.0.
+ Non-relative URLs are assumed to point to external sites and
+ hence don't append the SID, as it would be a security risk to
+ leak the SID to a different server.
</para>
</note>
- </para>
+ </section>
+
+ <section id="session.customhandler">
+ <title>Custom Session Handlers</title>
+ <para>
+ To implement database storage, or any other storage method, you
+ will need to use <function>session_set_save_handler</function> to
+ create a set of user-level storage functions.
+ </para>
+ </section>
</partintro>
&reference.session.functions;
Index: phpdoc/en/reference/session/constants.xml
+++ phpdoc/en/reference/session/constants.xml
<?xml version="1.0" encoding="iso-8859-1"?>
<!-- $Revision: 1.1 $ -->
<section id="session.constants">
&reftitle.constants;
&extension.constants;
<variablelist>
<varlistentry>
<term>
<constant>SID</constant>
(<link linkend="language.types.integer">integer</link>)
</term>
<listitem>
<simpara>
Constant containing the session name and session ID in
the form of <literal>"name=ID"</literal>.
</simpara>
</listitem>
</varlistentry>
</variablelist>
</section>
<!-- Keep this comment at the end of the file
Local variables:
mode: sgml
sgml-omittag:t
sgml-shorttag:t
sgml-minimize-attributes:nil
sgml-always-quote-attributes:t
sgml-indent-step:1
sgml-indent-data:t
indent-tabs-mode:nil
sgml-parent-document:nil
sgml-default-dtd-file:"../../../manual.ced"
sgml-exposed-tags:nil
sgml-local-catalogs:nil
sgml-local-ecat-files:nil
End:
vim600: syn=xml fen fdm=syntax fdl=2 si
vim: et tw=78 syn=sgml
vi: ts=1 sw=1
-->
--
PHP Documentation Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
