Posted by C. on 05/21/07 16:38

On 21 May, 09:30, "Bob Bedford" <b...@bedford.com> wrote:
> Hi,
>
> I've this code in my form:
> <?php
> ini_set('use_trans_sid',1);
> session_cache_limiter('private, must-revalidate');
> if(!session_is_registered("UID")){
> session_start();
> $UserID = 0;
> if (isset($_SESSION["UID"]) and $_SESSION["UID"] != "")
> $UserID = $_SESSION["UID"];}}
>
> if(!($UserID > 0)){
> echo 'error passing UserID';
> exit;}
>
> ?>
> <form name="FormSubmit" method="GET" action="<?php echo
> $HTTP_SERVER_VARS['PHP_SELF'].'?'.SID;">
>
> In this form I've a select with a javascript function as depending on the
> first value, I've to load a second select
> <select NAME="select1" ID="select1" onChange="FormSubmit.submit();">
>
> Now, when I set the confidentiality to "high" or "bloc all cookies" in IE6,
> as soon as the form is "submitted" by the value change (onChange), the
> UserID is empty and I've the error message on the form.
>
> What's wrong ? the sessionid should be saved on the server and passed by the
> ?SID, isn'it ?
>
> Please help.
>
> Bob


Bob,

Try viewing the source of the page being generated.

> <form name="FormSubmit" method="GET" action="<?php echo
> $HTTP_SERVER_VARS['PHP_SELF'].'?'.SID;">

This is wrong in so many ways:
1) you're using GET as the method on a URL which already contains get
vars
2) you're using the deprecated long variable names (HTTP_SERVER_VARS)
3) you're passing unvalidated/unescaped input back to the browser
4) you should be putting the session in your output
5) using trans_sids is less secure than cookies - it opens up your
site to all sorts of attacks
6) if you're setting the config at runtime, presumably you've not
checked that it doesn't try to set a cookie - if it does, the the SID
constant is blank.

I'd also suggest getting rid of session_cache_limiter() and rolling
your own cache headers. It amkes implementing mixed caching policy
much easier if you only work to one model / API.

Go back and read the manual.

C.

[Back to original message]