On 11 December 2003 16:54, Peter Walter wrote: > Jason, > > Thanks for your help. It is a little clearer to me now. > However, I have > visited php sites that *claim* to be using session management > but where > the links do not have the session id appended, and there are no > variables being passed in the url for links. The url is always in the > form "www.somesite.com/index.php" or just "www.somesite.com". > In these > cases, how is the url rewriting being suppressed for the links on the > page? I simply want to understand the technique.
If "url rewriting" (session.use_trans_sid) is enabled, and your browser is accepting cookies, then the sequence of events goes like this: 1. First request to your site -- browser has no cookie set, so cannot send it. 2. PHP responds with a page, including a header to set the PHPSESSID cookie; because, at this stage, PHP has no idea whether your browser will accept cookies, it also rewrites all URLs contained in the page to include a PHPSESSID= parameter. 3. Your browser displays the page, and sets the cookie. 4. You click a link to get the next page -- in addition to sending a request for the URL containing the PHPSESSID= parameter, your browser also sends the newly-set PHPSESSID cookie. 5. PHP responds with the new page, but, because it has received the PHPSESSID cookie in the previous step it now knows your browser is accepting cookies and does not bother to do any URL rewriting. 6. None of the URLs in the new page have the PHPSESSID= parameter appended -- transmission of the session id is now solely via the PHPSESSID cookie. Various things can influence this behaviour: - If your browser is not accepting cookies, URL rewriting will always occur and you will continue to see PHPSESSID= parameters appended. - If session.use_trans_sid is not set, PHP will do no URL rewriting but will attempt to use cookies (if enabled) -- if your browser doesn't accept cookies, sessions will fail to work (unless you manually append PHPSESSID= parameters where needed -- the SID built-in constant is provided for this). - If session.use_cookies is not set, PHP will not even attempt to use a cookie for the session id. - If session.use_only_cookies is set, PHP will use *only* cookies to store the session id -- again, if your browser is not accepting cookies, sessions will not work. As you can see, there are many ways of setting this up, with a few subtle nuances -- and some of the combinations don't actually make much sense (use_trans_sid=1 and use_only_cookies=1, for instance). Note that you *can* set it up so that PHP does no automatic PHPSESSID setting at all (use_trans_sid=0 and use_cookies=0) -- then it's up to you to manually append the PHPSESSID= parameter to all appropriate URLs. Cheers! Mike --------------------------------------------------------------------- Mike Ford, Electronic Information Services Adviser, Learning Support Services, Learning & Information Services, JG125, James Graham Building, Leeds Metropolitan University, Beckett Park, LEEDS, LS6 3QS, United Kingdom Email: [EMAIL PROTECTED] Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
