Posted by bob.chatman@gmail.com on 10/14/06 17:31

Another thing to keep in mind is that if there arent cookies to use,
and you havent changed your php options, the url will almost always be
used. It is insecure, it is a trouble zone, in that its in the url. The
back button wont work, and it can be changed so you have to take care
of session management.

There are a few really good tutorials that would probably help you out
if you are up for the reading.

http://www.zend.com/zend/tut/session.php
http://www.zend.com/tips/tips.php?id=238&single=1
http://devzone.zend.com/search/results?q=session
http://us3.php.net/manual/en/ref.session.php

Bob

Pedro Graca wrote:
> Chenky wrote:
> [...]
> > The URL then changes to ...secure.php?PHPSESSID=94fhq439fqqh9f-qh9-q2h
> > or something similar. Obviously, this doesn't happen when clicking a
> > link but the use of a login form causes this added variable to the URL.
> >
> > Any thoughts on avoiding this? Or am i stuck with it if i want to use
> > the session variable approach?
>
> As you know, the client and the server must be in synch. That's why you
> used the randid before you tried the session approach.
>
> Both the randid and the session id have to be passed from the server to
> the client and back.
>
> They can do this in one of three ways:
> a) by the URL
> b) by cookies
> c) by POST in form fields
>
> Option a) works everytime. Of course the URL gets the data appended to
> it;
> option b) only works if the client has cookies enabled;
> and option c) is not available for all pages -- so I'll ignore it from
> now on :)
>
> The session management in PHP can be configured for it to always *and*
> *only* use cookies, or always *and only* use URL parameters, or try to
> use cookies but fallback to URL parameters if cookies fail.
>
> If your server is configured with this last option, the first time the
> server starts a session it has to send the session id both in the URL
> and in a cookie. When another request is received, if it has a cookie
> the URL parameter will be dropped otherwise that's what PHP will use.
>
> To avoid session tracking by URL check your php.ini for
> session.use_trans_sid = 0
> session.use_cookies = 1
> session.use_only_cookies = 1
>
>
> Reference: http://www.php.net/manual/en/ref.session.php
>
> --
> File not found: (R)esume, (R)etry, (R)erun, (R)eturn, (R)eboot

[Back to original message]