[FX.php List] Do session always work?

Andrew Denman adenman at tmea.org
Mon Oct 30 08:49:55 MST 2006 

There are two settings in your php.ini file that affect session handling via
cookies.  From the page Erik linked to
(http://dk2.php.net/manual/en/ref.session.php):

--------
session.use_cookies boolean
session.use_cookies specifies whether the module will use cookies to store
the session id on the client side. Defaults to 1 (enabled). 

session.use_only_cookies boolean
session.use_only_cookies specifies whether the module will only use cookies
to store the session id on the client side. Enabling this setting prevents
attacks involved passing session ids in URLs. This setting was added in PHP
4.3.0. Defaults to 1 (enabled).
--------

If the second setting is enabled, PHP will not pass the session ID through
the URL, which is the alternate session handling the others are referring
to.

If you are using sessions I highly recommend reading the page linked to
above, especially the security issues.  Just a small snippet:

--------
Assess the importance of the data carried by your sessions and deploy
additional protections -- this usually comes at a price, reduced convenience
for the user. For example, if you want to protect users from simple social
engineering tactics, you need to enable session.use_only_cookies. In that
case, cookies must be enabled unconditionally on the user side, or sessions
will not work.
--------

Andrew Denman

-----Original Message-----
From: fx.php_list-bounces at mail.iviking.org
[mailto:fx.php_list-bounces at mail.iviking.org] On Behalf Of Jonathan Schwartz
Sent: Sunday, October 29, 2006 11:06 PM
To: FX.php Discussion List
Subject: Re: [FX.php List] Do session always work?

Did a quick test.  I turned off cookies on my own browser and got the 
same results reported from others.

Then, I quickly switch from POST to GET (without any other changes) 
in the first couple of pages and it seemed to work as advertised. 
Need to take a closed look to be sure.

That being said, how do you implement this?  With two complete sets 
of pages: one with POST and ONE with GET and a test to determine 
which to use?   Or... If statements within a single set of pages to 
execute GET or POST, depending on a browser test?

Or...simply use a browser test and then request/require users to turn 
on cookies to proceed, and use a single pure set of pages that 
require session cookies?

Jonathan


At 1:08 PM +1100 10/30/06, Kevin Futter wrote:
>On 30/10/06 12:41 PM, "Jonathan Schwartz" <jonathan at eschwartz.com> wrote:
>
>>  Steve...Do you mean that there is no problem as long as code is
>>  included to test for cookies being turned off in the browser and
>>  implementing the URL using GET (that Erik and Kevin
>>  suggested)..or...that they work without going so?
>
>...
>
>Jonathan - the idea is that PHP handles all that seamlessly in the
>background. It attempts to send a cookie to the client, and if that fails,
>it reverts to appending the session ID to each URL being managed by the
>session. All you have to do is instantiate each session appropriately at
the
>top of the page. PHP does the rest - it's like magic!
>
>--
>Kevin Futter
>Webmaster, St. Bernard's College
>http://www.sbc.melb.catholic.edu.au/
>
>
>
>------------------------------------------
>This e-mail and any attachments may be confidential.  You must not 
>disclose or use the information in this e-mail if you are not the 
>intended recipient.  If you have received this e-mail in error, 
>please notify us immediately and delete the e-mail and all copies. 
>The College does not guarantee that this e-mail is virus or error 
>free.  The attached files are provided and may only be used on the 
>basis that the user assumes all responsibility for any loss, damage 
>or consequence resulting directly or indirectly from the use of the 
>attached files, whether caused by the negligence of the sender or 
>not.  The content and opinions in this e-mail are not necessarily 
>those of the College.
>
>
>
>_______________________________________________
>FX.php_List mailing list
>FX.php_List at mail.iviking.org
>http://www.iviking.org/mailman/listinfo/fx.php_list


-- 

Jonathan Schwartz
FileMaker 8 Certified  Developer
Associate Member, FileMaker Solutions Alliance
Schwartz & Company
jonathan at eschwartz.com
http://www.eschwartz.com
http://www.exit445.com
415-381-1852

_______________________________________________
FX.php_List mailing list
FX.php_List at mail.iviking.org
http://www.iviking.org/mailman/listinfo/fx.php_list

More information about the FX.php_List mailing list