Thanks for the additional explanation, and I understand the sequence of events as you described. However, please bear with me a bit - the results I am getting do not quite match your explanation. Let me clarify what I am doing:
I have a page (index.php) which starts out by calling start_session(), then emits some html code containing some form variables for search criteria. After the form variables, I have a "submit" button that refers to index.php. Following that, I have php logic that extracts the search criteria (if set) from $HTTP_POST_VARS, performs a MySQL query, then creates a table of results (if any); one of the table entries contains a <a href= link to determine which row the user selected.
The first time I load the page, I assume the session is created by start_session(), and the cookie is sent to the browser. When I click on the "submit" button, the page is reloaded - I assume with the session active - as per your explanation. According tho the documentation I have read, the second time the page is loaded, start_session() will simply reuse the existing session parameters. At this point, the browser should already have the cookie - if it did not, I would not be able to retrieve the session variables - but the url links in the table are still rewritten. I do not understand why.
Being new to the "stateless" paradigm of web applications, and to php, I feel a bit nervous about coding when I do not quite grasp what is going on.
Peter
Ford, Mike [LSS] wrote:
On 11 December 2003 16:54, Peter Walter wrote:
Jason,
Thanks for your help. It is a little clearer to me now.
However, I have
visited php sites that *claim* to be using session management
but where
the links do not have the session id appended, and there are no
variables being passed in the url for links. The url is always in the
form "www.somesite.com/index.php" or just "www.somesite.com".
In these
cases, how is the url rewriting being suppressed for the links on the
page? I simply want to understand the technique.
If "url rewriting" (session.use_trans_sid) is enabled, and your browser is accepting cookies, then the sequence of events goes like this:
1. First request to your site -- browser has no cookie set, so cannot send it.
2. PHP responds with a page, including a header to set the PHPSESSID cookie; because, at this stage, PHP has no idea whether your browser will accept cookies, it also rewrites all URLs contained in the page to include a PHPSESSID= parameter.
3. Your browser displays the page, and sets the cookie.
4. You click a link to get the next page -- in addition to sending a request for the URL containing the PHPSESSID= parameter, your browser also sends the newly-set PHPSESSID cookie.
5. PHP responds with the new page, but, because it has received the PHPSESSID cookie in the previous step it now knows your browser is accepting cookies and does not bother to do any URL rewriting.
6. None of the URLs in the new page have the PHPSESSID= parameter appended -- transmission of the session id is now solely via the PHPSESSID cookie.
Various things can influence this behaviour:
- If your browser is not accepting cookies, URL rewriting will always occur and you will continue to see PHPSESSID= parameters appended.
- If session.use_trans_sid is not set, PHP will do no URL rewriting but will attempt to use cookies (if enabled) -- if your browser doesn't accept cookies, sessions will fail to work (unless you manually append PHPSESSID= parameters where needed -- the SID built-in constant is provided for this).
- If session.use_cookies is not set, PHP will not even attempt to use a cookie for the session id.
- If session.use_only_cookies is set, PHP will use *only* cookies to store the session id -- again, if your browser is not accepting cookies, sessions will not work.
As you can see, there are many ways of setting this up, with a few subtle nuances -- and some of the combinations don't actually make much sense (use_trans_sid=1 and use_only_cookies=1, for instance). Note that you *can* set it up so that PHP does no automatic PHPSESSID setting at all (use_trans_sid=0 and use_cookies=0) -- then it's up to you to manually append the PHPSESSID= parameter to all appropriate URLs.
Cheers!
Mike
---------------------------------------------------------------------
Mike Ford, Electronic Information Services Adviser,
Learning Support Services, Learning & Information Services,
JG125, James Graham Building, Leeds Metropolitan University,
Beckett Park, LEEDS, LS6 3QS, United Kingdom
Email: [EMAIL PROTECTED]
Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211
