PHP :: Request #16349 :: no way to tell if a session exists without starting it

no way to tell if a session exists without starting it

Submitted:

2002-03-29 13:25 UTC

Modified:

2010-12-22 15:00 UTC

Votes:	12
Avg. Score:	4.3 ± 1.1
Reproduced:	12 of 12 (100.0%)
Same Version:	3 (25.0%)
Same OS:	3 (25.0%)

From:

adam at adeptsoftware dot com

Assigned:

Status:

Not a bug

Package:

*General Issues

PHP Version:

4.1.2

OS:

WinXP

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	adam at adeptsoftware dot com
New email:
PHP Version:		OS:

New Comment:

[2002-03-29 13:25 UTC] adam at adeptsoftware dot com

There is no way, that I can see, of knowing if a session exists before starting it.

I am trying to destroy a session, but only if it already exists.  If it doesn't, I basically have to create it then destroy it.  The problem, besides this being lame, is the browser can pop up a box asking the user if they want to accept a session cookie, when I am not even trying to start a session.

It might be better if session_destroy just didn't require the session to be started.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2002-04-02 16:33 UTC] adam at adeptsoftware dot com

Is anybody looking at these?

Moved from session category due to lack of response

[2002-04-03 08:29 UTC] sniper@php.net

This is still session related. 

Ask on php-general@lists.php.net as this is not bug.
The PHP manual also has lot information about how sessions
are supposed to be used.

[2002-04-03 11:47 UTC] adam at adeptsoftware dot com

This is a bug, or missing essential feature if you prefer.

There is no question to ask, other than why has noone implemented this.

[2002-04-03 11:48 UTC] derick@php.net

If it isn't implemented, there can't be a bug in it. Moving this to a feature request.

Derick

[2002-04-03 11:57 UTC] rasmus@php.net

I don't know, I am pretty good at having bugs even in stuff I haven't implemented yet.

[2002-04-03 12:02 UTC] adam at adeptsoftware dot com

Heh when I think bug I think "flaw", I don't consider basic functionality to be a feature.  Knowing if a session has been created or not without having to create one seems pretty basic to me..

[2002-04-14 16:17 UTC] adam at adeptsoftware dot com

Why is this suspended?

[2002-12-03 15:37 UTC] powerblade at mail dot dk

I had the same problem. I wanted to knew if the session was started or not.
I found out i should do a session_id(); If it returns "null" then it's not
started yet, else it returns the session id.

[2005-10-28 23:21 UTC] david@php.net

powerblade's comment is incorrect, the point of this bug is to determine whether the user has a session without creating a new one if they do not. (session_id always returns a blank string prior to session_start(), regardless of whether an actual session exists).

Example: a site wishes to print "Hello <username>" at the top of every page. Username is stored on a session. The site must therefore resume the session to retrieve this username. But it is pointless to *create* a session just for this purpose. A bunch of useless 0-byte sess_* files are wastefully created.

In Java, one would do request.getSession(false) - the parameter 'start' set to false causes this function to return null if no session already exists.

In PHP, better semantics would be to add a function such as bool session_exists()

This still needs to be addressed.

[2005-10-28 23:30 UTC] jon at fuck dot org

it would be great to be able to get the correct session_id() before starting a session. currently, said function returns null if the session has not started yet, whether or not there is an existing one. the overhead of creating the session is the problem, though, so if doing so is still necessary in order to retrieve the id, then some other means -- i.e., a session_exists() function -- would be sufficient for cutting the overhead when managing ungodly amounts of sessions.

[2006-08-30 07:50 UTC] stefan at stefankoopmanschap dot nl

I have a similar issue. I pass the session ID in XML communication between a desktop application and my server. When a request comes in, I want to ensure that a session with the passed session id exists before I start it. It seems this is not possible at the moment. I am, by the way, using PHP5, not PHP4.

An additional session_exists() feature would be great!

[2009-07-20 09:46 UTC] schung at iboxweb dot com

I agree, a session_exists() is needed.  There is no other good way to 
check whether a session exists.  This is still a needed feature.

[2010-05-04 07:59 UTC] edwardmillen at aol dot com

I've just run into this issue myself (or one of the issues mentioned here anyway, I wanted to only start a session if the user is already logged in, or at the point of logging in with a correct username/password, rather than starting a session for every unauthenticated page request).

I've found one way round it which seems to work for me at least, which is to check whether the session cookie is set, like so:

if(isset($_COOKIE[session_name()])){session_start();}

(the session name, and therefore the name of the cookie, is normally PHPSESSID by default, and the value of that cookie should be the session ID if you need it)

I then used the following code in the login page after successful verification of the username/password, before starting to set session variables:

if(session_id()==''){session_start();}

Obviously this method will only work with cookie-based sessions, I haven't looked into how exactly PHP handles URL-based sessions, but I expect it would just be a matter of checking $_GET as well as $_COOKIE.

Also, this obviously won't help if you need to check whether a given session ID already exists on the server or not, which I think is a slightly different issue.

[2010-05-04 08:43 UTC] edwardmillen at aol dot com

I've just found a potentially exploitable hole which is opened up by not always starting the session (as described in my previous comment), if your server has register_globals turned on.

So just in case, to close the hole and keep things properly secure, the first line of code in my previous comment should be changed to this:

if(isset($_COOKIE[session_name()])){session_start();}else{unset($_SESSION);}

[2010-12-22 15:00 UTC] johannes@php.net

-Status: Open +Status: Bogus -Package: Feature/Change Request +Package: *General Issues

[2010-12-22 15:00 UTC] johannes@php.net

you can check whether the session cookie or url parameter exists

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sat Nov 29 10:00:01 2025 UTC