The idea of building a website is largely to accommodate as large a
portion of your visitors as possible. I'm not worried about people
bookmarking sessionID's, but what if someone copy/pastes the URL to a
friend and they use the section. My friend gave me an excellent idea,
and that is to check their IP and store the IP in the session. If the IP
doesn't match, then start a new session. This would be perfect, because
there's a double check. If someone disconnects to the internet but never
closes their browser, I don't think they should be allowed to continue
their session anyway, they should be required to login again.
From: Nick Wilson [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, January 23, 2002 3:35 AM
To: [EMAIL PROTECTED]
Subject: Re: [PHP] Need opinion On sessions - Cookies mandatory?
-----BEGIN PGP SIGNED MESSAGE-----
* and then Jason G. blurted....
> If cookies do not work, then you must have a session_id appended to
> URL. HTTP is a "stateless" protocol. So every time you make a
> HTTP, you must let PHP know what the session_id is either through
> or url query strings (or possibly posted with a form).
Yep, now I'm with you. The amount of times you'd see that kind of ugly
URL would be fairly minimal in most situations as most users these days
aren't even aware they *can* disable cookies.
> >> disable cookies, but appending the session ID could be a security
> >> Consider this: Someone is viewing a page and says "oh cool, I want
> >> to see this". He then copy/pastes the URL, sessionID and all, to
> >> who then loads up the page using his friend's SessionID. With
> >> this would not happen.
> >Not a problem. The session is *destroyed* as soon as a user closes
> A session will only be *destroyed* if it uses a cookie. PHP never
> when you close the browser, but the browser will remove the cookie.
> time you fire up the browser, it will not send the cookie, and a
> session will be started.
Sure. But there is some kind of clean on the host machine right? You
couldn't expect to continue a session a week later because you've
bookmarked a URL containind a SID.
I think this is controlled by something like a timeout var in the
> In my personal experience, using cookies only has not proven to be a
> problem. Your call.
When you say using cookies only do you mean 'requiring' the user to have
Tel: +45 3325 0688
Fax: +45 3325 0677
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
-----END PGP SIGNATURE-----
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]