At 09:35 AM 1/23/2002 +0100, Nick Wilson wrote:
>Hash: SHA1
>* and then Jason G. blurted....
> > If cookies do not work, then you must have a session_id appended to the
> > URL.  HTTP is a "stateless" protocol.  So every time you make a request 
> via
> > HTTP, you must let PHP know what the session_id is either through cookies,
> > or url query strings (or possibly posted with a form).
>Yep, now I'm with you. The amount of times you'd see that kind of ugly
>URL would be fairly minimal in most situations as most users these days
>aren't even aware they *can* disable cookies.
> > >> disable cookies, but appending the session ID could be a security risk.
> > >> Consider this: Someone is viewing a page and says "oh cool, I want Joe
> > >> to see this". He then copy/pastes the URL, sessionID and all, to Joe,
> > >> who then loads up the page using his friend's SessionID. With cookies,
> > >> this would not happen.
> > >
> > >Not a problem. The session is *destroyed* as soon as a user closes the
> > >browser.
> >
> > A session will only be *destroyed* if it uses a cookie. PHP never knows
> > when you close the browser, but the browser will remove the cookie.  Next
> > time you fire up the browser, it will not send the cookie, and a different
> > session will be started.
>Sure. But there is some kind of clean on the host machine right? You
>couldn't expect to continue a session a week later because you've
>bookmarked a URL containind a SID.
>I think this is controlled by something like a timeout var in the
Yeah, the sessions will time out and be cleaned up, but that applies just 
as much for cookie based sessions as url based sessions.

> > In my personal experience, using cookies only has not proven to be a
> > problem.  Your call.
I run several sites that have secure login's (Username and password).  And 
i do require the members to have cookies enabled in order for them to login.

If anyone has a problem with it, then they tell their browser to destroy 
the cookies when they close the browser, or only accept cookies from my sites.

>When you say using cookies only do you mean 'requiring' the user to have
>cookies enabled?
>- --
>Nick Wilson
>Tel:    +45 3325 0688
>Fax:    +45 3325 0677
-Jason Garber

PHP General Mailing List (
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to