At 22:41 10.11.2002, Charles Wiltgen said:
>I'm about to implement session management, and I'm considering rolling my
>own instead of using PHP's.

Hmm - NIH syndrome?
(>>not invented here<<)

>Specifically, I'm considering using hidden fields for persistent object
>properties because (1) I don't want cookies to be an issue, (2) I prefer not
>to have session IDs appear in a URL, and (3) I prefer not to use require a
>database just to store persistent properties.

As Justin already pointed out you make yourself stick to forms, not
allowing any "normal" page be session-dependent - but that's only one of
the drawbacks.

The issue that would disturb me the most is data security - if you use the
client browser to store object persistent data this opens up a whole world
of possibilities to hack your data... Of course you could always check if
the hidden fields are still ok, using some md5 or whetever, but why the hassle?

If you don't want cookies (I too don't use them for a session and have
disabled session cookies in our php.ini), PHP will transparently merge the
session identifier into its output (as long as you don't use ob_gzhandler,
that is). But why don't you like the session ID magled into links?

"prefer not to use a database" - that's not the case with standard php
sessions, they get written to a file somewhere. Just make sure that this
"somewhere" is
    a) read/writable by apache
    b) not read/writable by anyone else
and you are (relatively) secure.

   >O     Ernest E. Vogelsinger
   (\)    ICQ #13394035

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to