on 01/06/03 6:01 AM, Monty ([EMAIL PROTECTED]) wrote:
> I have a member site that uses sessions. People who have their browser
> cookies turned off, however, cannot use our site. I read somewhere that to
> avoid this, I'd have to manually append the PHPSESSID var to every URL when
> redirecting in a script.
Actually, the session ID has to appear in every URL... if you compile PHP
with enable-trans-sid, then PHP takes care of this for you in *most* cases.
As you say above, you need to append them manually to things like header()
redirects.
One way around this would be to write a simple wrapper function which does
this for you automatically:
<?
// UNTESTED
function redirectWithSession($location)
{
$sid = session_id();
$sname = session_name();
header("Location: {$location}?{$sname}={$sid}");
}
?>
Then (after testing the above code thoroughly) you just need to do a batch
search and replace on your whole site source for 'header("Location: ' with
'redirectWithSession(', and everything should be cool.... I think. Please
test all thoroughly :)
Or, just go through your code and patch it up :)
> Is this really the best or only way to avoid this problem? Or, is it simply
> unavoidable? Right now, I tell users that the site will only work with
> browsers that have cookies turned on, but, I'd rather the site was
> accessible to all. However, I also don't like passing session IDs via the
> URL because of the security risk.
There is no difference in the security risk between URL and cookies, if they
are sent in plain text. SSL is a different story.
You have a choice: make sure your site can be used without cookies (and
deal with the small effort during development), or be prepared to turn away
users.
I know which I picked :)
Justin
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
