In PHP, why are my session variables persisted as references?

Question

Here\'s the code. It\'s a simple operation to check that a session ID isn\'t being spoofed by verifying the IP address:

session_start();
$session_ip_address = $_         


        

Answer 1

If I have:

<?php

$x = 'blah';
$_SESSION['blah'] = $x;

var_dump($_SESSION);

I get:

array(1) {
  ["blah"]=>
  string(4) "blah"
}

No references in sight. PHP 5.3.2 on Ubuntu 10.04.1

Answer 2

The only time your session variables are going to be references, is when you reference a session variable to another session variable (or if the original reference is still in scope).

Per example:

session_start();
$x = 'foo';
$_SESSION['x'] = &$x;

This will give you:

array(1) {
  ["x"]=>
  string(3) "foo"
}

While this:

$x = 'foo';
$_SESSION['x'] = $x;
$_SESSION['y'] = &$_SESSION['x']; // reference to another $_SESSION var

Or this:

session_start();
$x = 'foo';
$_SESSION['x'] = $x;
$_SESSION['y'] = &$x;
var_dump($_SESSION); // reference still in scope

Would give you:

array(2) {
  ["x"]=>
  string(3) "foo"
  ["y"]=>
  &string(3) "foo"
}

Either way, doing this:

session_start();
$y = $_SESSION['y'];
$y = 'bar';

Will not modify the y session variable. In order to do that, you'd have to do:

session_start();
$y = &$_SESSION['y'];
$y = 'bar';

Answer 3

One of my customers had a very similar problem.

Make sure your PHP configuration (PHP.ini) has register_globals Off otherwise regular variables overwrite superglobals including PHP sessions.

Answer 4

it does assign by value, the reference & next to $_SESSION has nothing to do with your expression $_SESSION['x'] = $x;