If cookies are not available, you can either
hide the id in the hidden form field element
or
enable trans_sid to automatically pass the session id in the url
bastien> From: [EMAIL PROTECTED]> To: [EMAIL PROTECTED];
php-general@lists.php.net> Date: Fri, 17 Aug 2007 17:03:54 -0700> Subject: RE:
[PHP] About Session And Cookies> > Kelvin,> > Sessions is just one of the items
recommended for an e-commerce website. I> seem to recall that if cookies were
not enabled that there was a way of> passing the session id in the URL as a
"Get" parameter.> > Basically you will store the items to be purchased in a
special table and a> shopper ID or cart ID number will be assigned with the
first selected item> and needs to be retained to be able to recall the selected
items when the> shopper is ready to check out. A session variable is a good
place to store> this id, but it could also be passed in the form as a hidden
field. A> session is also a convenient way of providing a generic storage of
the items> to be purchased, separate table is possibly more common. You don't
have to> be too concerned about security up to the point where someone begins
to> check out when you begin gathering personal information from the buyer.>
Give it some thought, but I suspect in most cases that if someone were to>
capture a session at this point, the worse that could happen is they would>
both order and pay for the same items.> > When you gather personal information
it becomes a different matter, and at> this point I would first recomment you
consider passing your order items to> a resource like paypal and let them
collect the personal information. If> that is not possible you will want to
switch to SSL communication with the> browser before when you present your form
for the personal information, and> even in this mode I would recommend that if
you detect errors on the forma> and need to represent the form for the buyer to
correct info, toss away the> credit card info and have them reenter it. You do
not want to store this in> your session, or anywhere on your system without
really secure incryption> (I'm talking about the DB side here, not the SSL
channel to the browser).> > Once you begin collecting personal information (and
this is not limited to> the obvious like social security numbers), you should
make sure the session> cannot be hijacked, to prevent identity theft, this is
where cookies work so> well. Anyone who doesn't allow cookies is forcing you
into a situation> where you must expose their session information in the URL or
a hidden field> on the form where it can be hijacked, in which case I would
refuse to have> them as a customer, it's not worth the risk.> > Hope this
helps,> > Warren> > > -----Original Message-----> From: Kelvin Park
[mailto:[EMAIL PROTECTED] > Sent: Friday, August 17, 2007 3:02 PM> To:
php-general@lists.php.net> Subject: [PHP] About Session And Cookies> > I am
trying to setup a secure login system.> I've heard that if I use just cookies
for login, members without cookie> turned out won't be able to see the member
pages.> > Is using session recommended for e-commerce websites with shopping
carts?> Or, using both of them might be more effective in some way.> > -- > PHP
General Mailing List (http://www.php.net/)> To unsubscribe, visit:
http://www.php.net/unsub.php>
_________________________________________________________________
Invite your mail contacts to join your friends list with Windows Live Spaces.
It's easy!
http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends.aspx&mkt=en-us
