|
|
Posted by Pedro Graca on 10/12/06 12:17
Chenky wrote:
[...]
> The URL then changes to ...secure.php?PHPSESSID=94fhq439fqqh9f-qh9-q2h
> or something similar. Obviously, this doesn't happen when clicking a
> link but the use of a login form causes this added variable to the URL.
>
> Any thoughts on avoiding this? Or am i stuck with it if i want to use
> the session variable approach?
As you know, the client and the server must be in synch. That's why you
used the randid before you tried the session approach.
Both the randid and the session id have to be passed from the server to
the client and back.
They can do this in one of three ways:
a) by the URL
b) by cookies
c) by POST in form fields
Option a) works everytime. Of course the URL gets the data appended to
it;
option b) only works if the client has cookies enabled;
and option c) is not available for all pages -- so I'll ignore it from
now on :)
The session management in PHP can be configured for it to always *and*
*only* use cookies, or always *and only* use URL parameters, or try to
use cookies but fallback to URL parameters if cookies fail.
If your server is configured with this last option, the first time the
server starts a session it has to send the session id both in the URL
and in a cookie. When another request is received, if it has a cookie
the URL parameter will be dropped otherwise that's what PHP will use.
To avoid session tracking by URL check your php.ini for
session.use_trans_sid = 0
session.use_cookies = 1
session.use_only_cookies = 1
Reference: http://www.php.net/manual/en/ref.session.php
--
File not found: (R)esume, (R)etry, (R)erun, (R)eturn, (R)eboot
Navigation:
[Reply to this message]
|