[FX.php List] Cookie issue

Andrew Denman adenman at tmea.org
Fri Feb 22 16:44:42 MST 2008


Bob,

If you're going to pass the session ID in the URL, check out these two
session settings. Do note, though, that processing time may take a hit and
they do affect the entire server.

http://us2.php.net/manual/en/ref.session.php#session.configuration
session.use_trans_sid
url_rewriter.tags

And in my ever paranoid state, I'd like to issue a reminder to be aware of
potential security issues with passing the session ID via URL:
http://us2.php.net/manual/en/ref.session.php#session.security

Andrew Denman

-----Original Message-----
From: fx.php_list-bounces at mail.iviking.org
[mailto:fx.php_list-bounces at mail.iviking.org] On Behalf Of Bob Patin
Sent: Friday, February 22, 2008 5:29 PM
To: FX.php Discussion List
Subject: Re: [FX.php List] Cookie issue

So here's the question then: if I were to pass the session variable in  
all of my links and URLs (which I seriously doubt I'm going to go in  
and do), and they had cookies disabled, the session variable would  
tell my web server which set of session data to retrieve, and all  
would be well?

The downside of this is the logistical nightmare of adding the  
variable to every link on the site, and this particular web app has  
literally dozens of them per page because it shows cars, and each car  
has a link on it to farther into the web app.

But it's a possibility... :)

BP

On Feb 22, 2008, at 12:03 PM, Steve Winter wrote:

> server, and all you're passing in the URL is the session ID...
>
> If you've got a session started, and the user has cookies, when you  
> do a
> print_r($_REQUEST); you'll see the session ID in there... all PHP is  
> doing,
> on the server side is looking for that session ID in the $_REQUEST  
> data...
> it doesn't care if it comes from a cookie, a URL or a form post...
>
> On the page where you first create the session with session_start  
> SID then
> contains the value of the session ID, and can from that point on be  
> used to
> append the session ID to any get or post, at which point all the  
> session
> data, which is on the server, is available...

_______________________________________________
FX.php_List mailing list
FX.php_List at mail.iviking.org
http://www.iviking.org/mailman/listinfo/fx.php_list



More information about the FX.php_List mailing list