on 01/06/03 6:01 AM, Monty ([EMAIL PROTECTED]) wrote: > I have a member site that uses sessions. People who have their browser > cookies turned off, however, cannot use our site. I read somewhere that to > avoid this, I'd have to manually append the PHPSESSID var to every URL when > redirecting in a script.
Actually, the session ID has to appear in every URL... if you compile PHP with enable-trans-sid, then PHP takes care of this for you in *most* cases. As you say above, you need to append them manually to things like header() redirects. One way around this would be to write a simple wrapper function which does this for you automatically: <? // UNTESTED function redirectWithSession($location) { $sid = session_id(); $sname = session_name(); header("Location: {$location}?{$sname}={$sid}"); } ?> Then (after testing the above code thoroughly) you just need to do a batch search and replace on your whole site source for 'header("Location: ' with 'redirectWithSession(', and everything should be cool.... I think. Please test all thoroughly :) Or, just go through your code and patch it up :) > Is this really the best or only way to avoid this problem? Or, is it simply > unavoidable? Right now, I tell users that the site will only work with > browsers that have cookies turned on, but, I'd rather the site was > accessible to all. However, I also don't like passing session IDs via the > URL because of the security risk. There is no difference in the security risk between URL and cookies, if they are sent in plain text. SSL is a different story. You have a choice: make sure your site can be used without cookies (and deal with the small effort during development), or be prepared to turn away users. I know which I picked :) Justin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php