When the first session namespace is requested, Zend_Session will automatically start the PHP session, unless already started with Zend_Session::start(). The underlying PHP session will use defaults from Zend_Session, unless modified first by Zend_Session::setOptions().

To set a session configuration option, include the basename (the part of the name after "session.") as a key of an array passed to Zend_Session::setOptions(). The corresponding value in the array is used to set the session option value. If no options are set by the developer, Zend_Session will utilize recommended default options first, then the default php.ini settings. Community feedback about best practices for these options should be sent to » [email protected].

Most options shown above need no explanation beyond that found in the standard PHP documentation, but those of particular interest are noted below.

• boolean strict - disables automatic starting of Zend_Session when using new Zend_Session_Namespace().

• integer remember_me_seconds - how long should session id cookie persist, after user agent has ended (e.g., browser application terminated).

• string save_path - The correct value is system dependent, and should be provided by the developer using an absolute path to a directory readable and writable by the PHP process. If a writable path is not supplied, then Zend_Session will throw an exception when started (i.e., when start() is called).

  Note: Security Risk
  If the path is readable by other applications, then session hijacking might be possible. if the path is writable by other applications, then » session poisoning might be possible. If this path is shared with other users or other PHP applications, various security issues might occur, including theft of session content, hijacking of sessions, and collision of garbage collection (e.g., another user's application might cause PHP to delete your application's session files).
  For example, an attacker can visit the victim's website to obtain a session cookie. Then, he edits the cookie path to his own domain on the same server, before visiting his own website to execute var_dump($_SESSION). Armed with detailed knowledge of the victim's use of data in their sessions, the attacker can then modify the session state (poisoning the session), alter the cookie path back to the victim's website, and then make requests from the victim's website using the poisoned session. Even if two applications on the same server do not have read/write access to the other application's save_path, if the save_path is guessable, and the attacker has control over one of these two websites, the attacker could alter their website's save_path to use the other's save_path, and thus accomplish session poisoning, under some common configurations of PHP. Thus, the value for save_path should not be made public knowledge and should be altered to a secure location unique to each application.
  

• string name - The correct value is system dependent and should be provided by the developer using a value unique to the application.

  Note: Security Risk
  If the php.ini setting for session.name is the same (e.g., the default "PHPSESSID"), and there are two or more PHP applications accessible through the same domain name then they will share the same session data for visitors to both websites. Additionally, possible corruption of session data may result.
  

• boolean use_only_cookies - In order to avoid introducing additional security risks, do not alter the default value of this option.

  Note: Security Risk
  If this setting is not enabled, an attacker can easily fix victim's session ids, using links on the attacker's website, such as http://www.example.com/index.php?PHPSESSID=fixed_session_id. The fixation works, if the victim does not already have a session id cookie for example.com. Once a victim is using a known session id, the attacker can then attempt to hijack the session by pretending to be the victim, and emulating the victim's user agent.
  

If you see the error message, "Cannot modify header information - headers already sent", or, "You must call ... before any output has been sent to the browser; output started in ...", then carefully examine the immediate cause (function or method) associated with the message. Any actions that require sending HTTP headers, such as sending a cookie, must be done before sending normal output (unbuffered output), except when using PHP's output buffering.

• Using » output buffering often is sufficient to prevent this issue, and may help improve performance. For example, in php.ini, "output_buffering = 65535" enables output buffering with a 64K buffer. Even though output buffering might be a good tactic on production servers to increase performance, relying only on buffering to resolve the "headers already sent" problem is not sufficient. The application must not exceed the buffer size, or the problem will occur whenever the output sent (prior to the HTTP headers) exceeds the buffer size.

• If a Zend_Session method is involved in causing the error message, examine the method carefully, and make sure its use really is needed in the application. For example, the default usage of destroy() also sends an HTTP header to expire the client-side session cookie. If this is not needed, then use destroy(false), since the instructions to set cookies are sent with HTTP headers.

• Alternatively, try rearranging the application logic so that all actions manipulating headers are performed prior to sending any output whatsoever.

• Remove any closing "?>" tags, if they occur at the end of a PHP source file. They are not needed, and newlines and other nearly invisible whitespace following the closing tag can trigger output to the client.

Introduction: Best practice in relation to using sessions with Zend Framework calls for using a browser cookie (i.e. a normal cookie stored in your web browser), instead of embedding a unique session identifier in URLs as a means to track individual users. By default this component uses only cookies to maintain session identifiers. The cookie's value is the unique identifier of your browser's session. PHP's ext/session uses this identifier to maintain a unique one-to-one relationship between website visitors, and persistent session data storage unique to each visitor. Zend_Session* wraps this storage mechanism ($_SESSION) with an object-oriented interface. Unfortunately, if an attacker gains access to the value of the cookie (the session id), an attacker might be able to hijack a visitor's session. This problem is not unique to PHP, or Zend Framework. The regenerateId() method allows an application to change the session id (stored in the visitor's cookie) to a new, random, unpredictable value. Note: Although not the same, to make this section easier to read, we use the terms "user agent" and "web browser" interchangeably.

Why?: If an attacker obtains a valid session identifier, an attacker might be able to impersonate a valid user (the victim), and then obtain access to confidential information or otherwise manipulate the victim's data managed by your application. Changing session ids helps protect against session hijacking. If the session id is changed, and an attacker does not know the new value, the attacker can not use the new session id in their attempts to hijack the visitor's session. Even if an attacker gains access to an old session id, regenerateId() also moves the session data from the old session id "handle" to the new one, so no data remains accessible via the old session id.

When to use regenerateId(): Adding Zend_Session::regenerateId() to your Zend Framework bootstrap yields one of the safest and most secure ways to regenerate session id's in user agent cookies. If there is no conditional logic to determine when to regenerate the session id, then there are no flaws in that logic. Although regenerating on every request prevents several possible avenues of attack, not everyone wants the associated small performance and bandwidth cost. Thus, applications commonly try to dynamically determine situations of greater risk, and only regenerate the session ids in those situations. Whenever a website visitor's session's privileges are "escalated" (e.g. a visitor re-authenticates their identity before editing their personal "profile"), or whenever a security "sensitive" session parameter change occurs, consider using regenerateId() to create a new session id. If you call the rememberMe() function, then don't use regenerateId(), since the former calls the latter. If a user has successfully logged into your website, use rememberMe() instead of regenerateId().

Ordinarily, sessions end when the user agent terminates, such as when an end user exits a web browser program. However, your application may provide the ability to extend user sessions beyond the lifetime of the client program through the use of persistent cookies. Use Zend_Session::rememberMe() before a session is started to control the length of time before a persisted session cookie expires. If you do not specify a number of seconds, then the session cookie lifetime defaults to remember_me_seconds, which may be set using Zend_Session::setOptions(). To help thwart session fixation/hijacking, use this function when a user successfully authenticates with your application (e.g., from a "login" form).

This function complements rememberMe() by writing a session cookie that has a lifetime ending when the user agent terminates.

Use this method to determine if a session already exists for the current user agent/request. It may be used before starting a session, and independently of all other Zend_Session and Zend_Session_Namespace methods.

Zend_Session::destroy() destroys all of the persistent data associated with the current session. However, no variables in PHP are affected, so your namespaced sessions (instances of Zend_Session_Namespace) remain readable. To complete a "logout", set the optional parameter to TRUE (the default) to also delete the user agent's session id cookie. The optional $readonly parameter removes the ability to create new Zend_Session_Namespace instances and for Zend_Session methods to write to the session data store.

If you see the error message, "Cannot modify header information - headers already sent", then either avoid using TRUE as the value for the first argument (requesting removal of the session cookie), or see this section. Thus, Zend_Session::destroy(true) must either be called before PHP has sent HTTP headers, or output buffering must be enabled. Also, the total output sent must not exceed the set buffer size, in order to prevent triggering sending the output before the call to destroy().

Note: Throws
By default, $readonly is enabled and further actions involving writing to the session data store will throw an exception.

This method does absolutely nothing more than toggle a flag in Zend_Session to prevent further writing to the session data store. We are specifically requesting feedback on this feature. Potential uses/abuses might include temporarily disabling the use of Zend_Session_Namespace instances or Zend_Session methods to write to the session data store, while execution is transferred to view- related code. Attempts to perform actions involving writes via these instances or methods will throw an exception.

Shutdown the session, close writing and detach $_SESSION from the back-end storage mechanism. This will complete the internal data transformation on this request. The optional $readonly boolean parameter can remove write access by throwing an exception upon any attempt to write to the session via Zend_Session or Zend_Session_Namespace.

Note: Throws
By default, $readonly is enabled and further actions involving writing to the session data store will throw an exception. However, some legacy application might expect $_SESSION to remain writable after ending the session via session_write_close(). Although not considered "best practice", the $readonly option is available for those who need it.

This method sends an expired session id cookie, causing the client to delete the session cookie. Sometimes this technique is used to perform a client-side logout.

Most developers will find the default save handler sufficient. This method provides an object-oriented wrapper for » session_set_save_handler().

Use this method to determine if a session namespace exists, or if a particular index exists in a particular namespace.

Note: Throws
An exception will be thrown if Zend_Session is not marked as readable (e.g., before Zend_Session has been started).

Use Zend_Session::namespaceUnset($namespace) to efficiently remove an entire namespace and its contents. As with all arrays in PHP, if a variable containing an array is unset, and the array contains other objects, those objects will remain available, if they were also stored by reference in other array/objects that remain accessible via other variables. So namespaceUnset() does not perform a "deep" unsetting/deleting of the contents of the entries in the namespace. For a more detailed explanation, please see » References Explained in the PHP manual.

Note: Throws
An exception will be thrown if the namespace is not writable (e.g., after destroy()).

DEPRECATED: Use getIterator() in Zend_Session_Namespace. This method returns an array of the contents of $namespace. If you have logical reasons to keep this method publicly accessible, please provide feedback to the » [email protected] mail list. Actually, all participation on any relevant topic is welcome :)

Note: Throws
An exception will be thrown if Zend_Session is not marked as readable (e.g., before Zend_Session has been started).

Use getIterator() to obtain an array containing the names of all namespaces.

Note: Throws
An exception will be thrown if Zend_Session is not marked as readable (e.g., before Zend_Session has been started).