As suggested, if I turn off cookies in my browser, then SID is set. So the directive in php.ini does not cause the use of cookies to be completely turned off?
My understanding is the php.ini sessions.save_path(?) is for PHP to have a temp directory to write session information on the server. Our course the client's browser has a cookie set or in the URL. The session information on the client and server must then match, else it was forged.
Another question envolves the use of the back button. My client wants the use of the back button to be turned off for security reasons for some pages. His preference is to have a page expire if it is arrived on by pressing the back button. Can this be done with sessions?
No, I don't see how with sessions. Some of the displayed browser options that can be turned off with Javascript. However there is still hot keys for many of those functions.
I'd keep track of the current page, and if a "back button" was pressed, have that page expire and display a message "don't go backwards :-)
That works, but only if the browser requests a new copy of the page. Accorind got browser specs, they should display the cached copy. You can try setting no caching headers and meta tags and see if that helps.
-- paperCrane <Justin Patrin>
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
