I'm trying to track session data and merge several related services through a common server-side session (using Apache). One condition is that it won't use cookies to store the user data OR the session ID. Another is that the services we're merging use different languages, including PHP and Perl (Apache::Session module) so whatever I use needs to be supported by both of these.
My question - what is the best way to "know" the session id between pages? Posting it in the URL and using $_GET["PHPSESSID"] is one solution, but this seems like a hassle and is also open to attack if someone could "guess" a valid session ID. Or, would it better to avoid transferring session ids altogether and generate unique "names" on each page? What works well for generating the name? I'm thinking something like a hash of their IP plus a private key, but maybe someone knows problems with this or has a better/easier solution.
Also, outside of changing session.use_cookies to false and session.save_path to a PHP- and Perl- happy location, are there any other php.ini or Apache settings I should be changing?
Any comments or thoughts are greatly appreciated!
-- Matt Blasinski (mbv) Internet Infrastructure Applications Technology Division of Information Technology 3121 Computer Science and Statistics 1210 West Dayton Street Madison WI 53706 Work (608) 262-2286 Cell (608) 206-4098
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
