Sessions on Zephir

Zephir is set up differently than most servers as regards sessions.

On most servers, sessions are set up automatically, when the developer calls "session_start()". Due to increased security on Zephir, and the way that PHP was set up there, we need to go through some special handling on all pages that work with sessions.

We will create a special directory, outside of our normal "public_html" directory in order to store session data. This directory will sit beside the public_html directory, where no one from the web can access data.

Once that directory is set up, every page that works with sessions will reference the location of this file to store session data.

Below are the step by step instructions to set up this directory, give it the proper permissions, and enable us to use sessions on Zephir.

Security Note: While we are doing this on Zephir because it is required, it would be a good idea to mimic this process on any shared host, as all session data is stored in a 'group' location unless we specify otherwise. Therefore, anyone who is hacked in another site on your server can expose your customer.

1) Login to Zephir via WinSCP

2) After logging in DO NOT open your public_html directory. We need to create a NEW directory, outside of our public_html directory (on the same level with it). This is because we don't want a web user to be able to "browse" the contents of this folder.

3) Create a new directory, named "sessions", at the root of your server space (outside the public_html directory), by selecting F7 (create directory).  You want to make sure that no one but you have any permission for your new directory.

4) Right click on your "sessions" directory, select PROPERTIES.  Then in the "Octal" field, type "0700". This will change the permission to read/write/executable access to the owner (you) of the folder only. Check the box that says, set permissions recursively

5) Shut down WinSCP. Add the following line of code to your any file that needs to access session data:

ini_set('session.save_path','/home/classes/horsey01/sessions');

Change "horsey01" to your username. This line of code indicates where PHP is required to store session data. Without it (and without permissions set properly there) sessions will not work on Zephir.

6) To test your sessions, a simple page can be created:

<?php
ini_set('session.save_path','/home/classes/horsey01/sessions');
session_start(); //must be declared before using any session data
$_SESSION['test'] = "If you can read this, sessions are working!"; //create test session
print $_SESSION['test'] . "<br>";
print "Session ID is: ". session_id()."<br>";
?>

This page should show you "If you can read this, sessions are working!", and then an odd combination of letters and numbers, such as:

Session ID is: le3fsm17ufechv3kdpd987q1v1

This is the unique ID number created for this particular user session.

Later we'll add a reference to the session path to a configuration include file that will allow us to tailor our settings to the current hosting environment.

Remember both the session.save_path and session_start() references must be included in your code before you attempt to use a session variable.