Posted by shimmyshack on 04/27/07 10:20

On Apr 27, 8:09 am, Willem Bogaerts
<w.bogae...@kratz.maardanzonderditstuk.nl> wrote:
> > The INI setting session.use_cookies can be used to disable the use of
> > cookies for storing the session id remotely, and then I guess PHP will
> > just rely on the IP address and (probably) User-Agent header. In this
> > case, it may use the same session id for two computers under the same
> > router.
>
> It won't. Instead, PHP will rewrite your HTML output to inject the
> session parameter in your forms, URLs, etc. So when you switch off
> cookie-based session ID communication, PHP will try to use GET or POST.


this only happens if
session.use_trans_sid = 1
which it should not be (for security reasons)
allowing the rewriter to be active is a real issue, so for earlier
versions of php, yes this will come into play and various parts of the
html might be altered, but for later php versions, this doesnt happen,
which is much safer!


>
> Best regards,
> --
> Willem Bogaerts
>
> Application smith
> Kratz B.V.http://www.kratz.nl/

[Back to original message]