At 08:02 22.11.2002, Jean-Christian Imbeault said:
>Is it because I am putting the SID in the URL? I haven't tested with 
>cookies yet as I want to get my site working without cookies first.

Definetely yes.

The PHP session is (with the default setup) nuthing more than a hash that's
used to construct a file name. So the session ID
"0ee410a57762be937d6d277b4ff642c8" will render the filename
"/tmp/sess_0ee410a57762be937d6d277b4ff642c8" which will subsequently used
by PHP as the session storage.

>> Adding a logout feature will help people who are worried about security,
>> because it can kill the cookies on the browser.
>I agree! The problem I have now is that a user can bookmark a page with 
>the SID in the URL and then come back later and the session is still 
>active ... the session should close when the browser is closed.

You cannot really control if the user is logging out or not - I saw a
"solution" once where they had a JavaScript for "onUnload" where they
warned the user that the next time he should log out - I believe the actual
action was to use the onUnload handler to redirect the browser to the
logout screen. However this wouldn't work if the user has JavaScript
switched off.

What I usually do (I also have session cookies switched off) is to send the
user a session cookie when he logs in. This way I can use cookieless
sessions, but when it comes to sensitive areas I can be sure that
bookmarking or giving away the SID wouldn't automatically transfer the
login session...

>I have set session.auto_start = 1 so I would think that after closing 
>the browser and going to the bookmarked paged a new session would be 
>started, killing the SID passed in from the URL no?

I always recomment NOT using session.auto_start. It effectively disables
making objects session-persistent as any class file needed for the objects
must be loaded BEFORE objects gets reconstructed.

When the browser requests an URL with a SID you have no control if this
stems from a link or from a bookmark (maybe you could go and analyze
$_SERVER['HTTP_REFERER'], but not all browsers tranmit it. What you can do
is to have a timestamp of the last access recorded in your session so you
can always check against your own timeout requirements.

Personally I believe it's a good thing not to enable automatic session
cookies. Relying on a session cookie effectively disables having two
browser windows open with the same application but running in different
contexts, since both would transmit the same session cookie.

   >O     Ernest E. Vogelsinger
   (\)    ICQ #13394035

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to