Home » Php » php – View and change sessions variables in a browser

php – View and change sessions variables in a browser

Posted by: admin April 23, 2020 Leave a comment

Questions:

Debugging a PHP program, is there any add-on/plug-in for browser which I can view sessions variables (those PHP $_SESSION[“foobar”] )?

Best if I can change the value in the variables.

How to&Answers:

There is no way to manipulate the values stored in sessions from the client side.

That’s one of the main reasons you’d use a session over a cookie – YOU control the data.
With cookies, the user can manipulate the data.

The only way to access/manipulate session data from the client side would be with an Ajax call or other JavaScript mechanism to call another php script, which would be doing the retrieval/manipulation of the session data via the session_ functions.

Answer:

$_SESSION is a server-side array of variables. If we could read or change the values, there are many things that we could do to hack or cause other bad things to happen.

However, using phpinfo(); we can view session variables – but we cannot change the value.

Even better, we can debug all session variables with

print_r($_SESSION); 
//if you echo "<pre>" before, and a closing "</pre>" after, it prints very cleanly.

some other useful commands:

session_start(); // start session  -- returns Session ID
session_destroy(); // unset all session variable

Session is an array so if you set $_SESSION['key']='value'; it is same like $array['key']=value; – only, what is special about $_SESSION – is that it persists until the window is closed, or session_destroy() is called.

Answer:

You can use this code below:

<?php
error_reporting(E_ALL);
session_start();
if (isset($_POST['session'])) {
    $session = eval("return {$_POST['session']};");
    if (is_array($session)) {
        $_SESSION = $session;
        header("Location: {$_SERVER['PHP_SELF']}?saved");
    }
    else {
        header("Location: {$_SERVER['PHP_SELF']}?error");
    }
}

$session = htmlentities(var_export($_SESSION, true));
?>
<!DOCTYPE html>
<html lang="en-US">
    <head>
        <meta charset="UTF-8">
        <title>Session Variable Management</title>
        <style>
            textarea { font: 12px Consolas, Monaco, monospace; padding: 2px; border: 1px solid #444444; width: 99%; }
            .saved, .error { border: 1px solid #509151; background: #DDF0DD; padding: 2px; }
            .error { border-color: #915050; background: #F0DDDD; }
        </style>
    </head>
    <body>
        <h1>Session Variable Management</h1>
<?php if (isset($_GET['saved'])) { ?>
        <p class="saved">The session was saved successfully.</p>
<?php } else if (isset($_GET['error'])) { ?>
        <p class="error">The session variable did not parse correctly.</p>
<?php } ?>
        <form method="post">
            <textarea name="session" rows="<?php echo count(preg_split("/\n|\r/", $session)); ?>"><?php echo $session; ?></textarea>
            <input type="submit" value="Update Session">
        </form>
    </body>
</html>

Answer:

Be aware however that while the session ‘variables’ are stored server-side, the Session ID is either in the GET/POST URL (a VERY BAD idea) or stored in a browser cookie, (better security), but still susceptible to manipulation/attack/etc if you don’t hand Cookie based session IDs carefully.

http://en.wikipedia.org/wiki/Session_fixation

http://en.wikibooks.org/wiki/PHP_Programming/sessions#Avoiding_Session_Fixation