> Simply put - you can't.
> You need a way to transmit the session identifier, and AFAIK there's
> nothing except either cookies or SID.
> Using SID for security relevant issues presents a problem - users can send
> links with a SID to friends by mail or else, so this is not really a secure
> solution. However there are numerous application parts where no security is
> involved, and sessions are just used to construct a site - it's unnecessary
> IMHO to avoid SID use here.
> On our server we have disabled session cookies in general, as a courtesy to
> our users. However when logged in we require a user to accept a cookie. The
> value of this cookie is randomly generated (something like "md5(rand())"),
> and changes with every "click". This value (we call it a "login token" is
> also stored in session data to verify the cookie against the session. If no
> user token, or a wrong token, is transmitted, we assume a "hijacked"
> session and automatically logout the user. (there's more to it, but
> basically you get the idea)

This sounds like a pretty good idea to work around that problem :-)

Does this system work, if the user decides to split "one session" accross 
multiple "Browser-Windows", i.e. the uses the "Open in new window"-Function 
of most browsers?


PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to