At 09:35 AM 1/23/2002 +0100, Nick Wilson wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > > >* and then Jason G. blurted.... > > If cookies do not work, then you must have a session_id appended to the > > URL. HTTP is a "stateless" protocol. So every time you make a request > via > > HTTP, you must let PHP know what the session_id is either through cookies, > > or url query strings (or possibly posted with a form). > >Yep, now I'm with you. The amount of times you'd see that kind of ugly >URL would be fairly minimal in most situations as most users these days >aren't even aware they *can* disable cookies. > > > > >> disable cookies, but appending the session ID could be a security risk. > > >> Consider this: Someone is viewing a page and says "oh cool, I want Joe > > >> to see this". He then copy/pastes the URL, sessionID and all, to Joe, > > >> who then loads up the page using his friend's SessionID. With cookies, > > >> this would not happen. > > > > > >Not a problem. The session is *destroyed* as soon as a user closes the > > >browser. > > > > A session will only be *destroyed* if it uses a cookie. PHP never knows > > when you close the browser, but the browser will remove the cookie. Next > > time you fire up the browser, it will not send the cookie, and a different > > session will be started. > >Sure. But there is some kind of clean on the host machine right? You >couldn't expect to continue a session a week later because you've >bookmarked a URL containind a SID. >I think this is controlled by something like a timeout var in the >php.ini. Yeah, the sessions will time out and be cleaned up, but that applies just as much for cookie based sessions as url based sessions.
> > In my personal experience, using cookies only has not proven to be a > > problem. Your call. I run several sites that have secure login's (Username and password). And i do require the members to have cookies enabled in order for them to login. If anyone has a problem with it, then they tell their browser to destroy the cookies when they close the browser, or only accept cookies from my sites. >When you say using cookies only do you mean 'requiring' the user to have >cookies enabled? > >- -- > >Nick Wilson > >Tel: +45 3325 0688 >Fax: +45 3325 0677 >Web: www.explodingnet.com > -Jason Garber IonZoft.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
