19

Is it possible to check for a session with out starting one?

The reason that I ask is, the app I am developing has an integrated admin interface. So when an admin is logged in they browse the same pages as the users to make their edits. Fields and options are shown based on the users privs.

This is causing two problems.

One is Because a session is being started, I can not enable browser caching features as the headers being sent are always:

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

I am using smarty to output the templates, and can't implement the:

$smarty->cache_modified_check = true;

to send a 304 not modified because a session has already been started. Using the above smarty param would be the perfect solution to browser caching for me.

Two is because every person using the site is starting a session the session directory gets filled with unneeded sessions.

I could just destroy the session if the user is not logged in, but then every single page load, the user would be creating and deleting a session. Is that bad practice?

So if I could just check to see if an active session exists without starting one all my problems would be solved. Any ideas? Doesn't the browser send the session cookie when requesting the page?

Something Ideally like this:

if (session_exists) {
 session_start();
 $users->priv = $_SESSION['priv'];
}
else {
 $users->priv = guest;
}

--------------- In response to Tony Miller ---------------

When using session_id(), you have to already have a session started for it to return an id.

session_start();
echo session_id($_SESSION);

or you can set an id for the session before calling session start

session_id("adfasdf");
session_start();
echo session_id($_SESSION);

//prints "adfasdf"

Neither of these help me. Unless I am missing something.

Community
  • 1
  • 1
user73119
  • 2,413
  • 3
  • 21
  • 21
  • 2
    Don't call `session_id("adfasdf")`, call `session_id()` instead. If no session exists, it will return `""`. So do an `if(session_id())` before calling `session_start()`. – nash Nov 23 '09 at 13:58
  • So far none of the answers addressed properly the question: 1) `session_id` before `session_start` returns nothing, and 2) `PHPSESSID` cookie is not a reliable parameter since the client can submit anything he wants. – Mark Messa Oct 24 '19 at 16:41

3 Answers3

11

You'd be wanting session_id(), which returns empty string if no session is defined.

The documentation indicates that empty string (which is not "nothing") is returned if no session is started.

As the 2014 comments indicate (I wrote this answer in 2009), there is the possibility that a session could start if there is a cookie with a session id stored in it that could be picked up by session_start().

As of PHP 5.4.0, we now have session_status() but this didn't exist in 2009.

Tony Miller
  • 9,059
  • 2
  • 27
  • 46
  • Could you please elaborate on this? It looks like there are two uses for session_id. 1. session_id($_SESSION) returns the id of the session, which has to be called after session_start(). 2. calling session_id("asdf") before session_start() sets the id of the session to "asdf". I'm not sure how either one of these help me. How will I know the current browsers session if I give it a new id before calling session_start()? Thanks – user73119 Nov 23 '09 at 05:23
  • 1
    Actually, session_id() returns the current session id - which will be empty string ('') if there is none. I don't think session_is($_SESSION) is a valid use. – K Prime Nov 23 '09 at 05:40
  • session_is($_SESSION) is invalid. It will try to set the session id to whatever is there in $_SESSION - most probably it will be a string with value 'Array'. It is a huge security threat. – mixdev Jun 25 '10 at 23:57
  • 6
    Calling session_id() before session_start() doesn't return anything, even if a POTENTIAL session is available (i.e. even if PHPSESSID is set to something). – nezroy Aug 26 '10 at 16:05
  • 2
    Why this answer has 12 upvotes? It does not work in the sense of question... Sorry, but -1 from me. Write more, describe more, and tell why this should work, and I will cancel my downvote. – Jacek Kowalewski Apr 21 '14 at 06:12
5

You could check if the PHPSESSID cookie is set (the PHPSESSID name may have another name, depending on your server settings, check ini.session.name).

But if all you fear is poluting your session dir, you can adjust session.gc_probability, session.gc_divisor and session.gc_maxlifetime to make them disappear faster.

Arkh
  • 8,416
  • 40
  • 45
  • This seems to be the ticket. Checking if $_REQUEST['PHPSESSID'] is set before calling session_start() allows you to know if a session is "available". – nezroy Aug 26 '10 at 16:03
  • Good answer. If you (the OP) find `$_COOKIE[session_name()]` has a value, you should also verify that a session file exists with name matching that value before calling `session_start()`. What you NEVER want to do is to allow a user to create a new session under a name the user has given you. – Steve Clay May 19 '11 at 15:39
  • Yes, this one is great. I Downvoted the "best" answer, as of course it isn't best ;). This one is. +1 from me. – Jacek Kowalewski Apr 21 '14 at 06:13
3

Here's a function that will do what you ask, which is checking whether a session exists before starting it:

function sessionExists() {
    return (isset($_COOKIE[session_name()]));
}

If you want to test for it in the same request that you created it, you can do this instead:

function sessionExists() {
    return (isset($_SESSION) || isset($_COOKIE[session_name()]));
}
colordrops
  • 83
  • 7