At 09:25 22.11.2002, Jean-Christian Imbeault said:
>> What I usually do (I also have session cookies switched off) is to send the
>> user a session cookie when he logs in. This way I can use cookieless
>> sessions, but when it comes to sensitive areas I can be sure that
>> bookmarking or giving away the SID wouldn't automatically transfer the
>> login session...
>I don't get what you mean here. Can you explain a bit more? Sounds like 
>what I need but I don't understand. You say you have cookies switched 
>off but send the user a cookie ... a contradiction.

My php.ini has session.use_cookies set to 0, so no (automatic) session
cookies get transmitted. Thie however doesn't stop me from programmatically
sending a cookie to the client...
So that's what I do, basically: I might be using a session for a lot of
stuff that's not related to user login; but when a user logs in this happens:

a) Create a unique cookie name and remember it:
    $cookie_name = md5(date('YmdHis'));
    $_SESSION['cookie_name'] = $cookie_name;
b) Create a random value for the cookie:
    $cookie_token = rand();
    $_SESSION['cookie_token'] = $cookie_token;
c) Transmit this cookie to the client (lifetime=session):
    setcookie($cookie_name, $cookie_token);

 From now on, the login-check tests for the random session cookie to match
the token:
    if ($_COOKIE[$_SESSION['cookie_name']] == $_SESSION['cookie_token']) {
        // valid cookie found, so generate a new value
        $_SESSION['cookie_token'] = rand();
        setcookie($_SESSION['cookie_name'], $_SESSION['cookie_token']);
    else {
        // no cookie set, or token doesn't match - take the appropriate action

This helps me to allow multiple sessions at the same client computer, since
every session has its own unique cookie. Giving away a link containing a
SID wouldn't harm security since you cannot pass or bookmark session cookies.

>> I always recomment NOT using session.auto_start. It effectively disables
>> making objects session-persistent
>I didn't know that but it doesn't matter as I don't do OO in PHP. Being 
>also a Java programmer I can't wrap my brain around how PHP does pseudo-OO.

It's not pseudo-OO - it's some kind of "back-to-the-roots" OO :) You _do_
have (single) inheritance, you _do_ have class abstraction, you _do_ have
polymorphism (although you need to go a lot by hand), but you _don't_ have
protected and private storage.

You can always put an object into session storage, like this:

    class A {
       function A() {}
    if (!is_object($a))
        $a = new A();
    $_SESSION['a'] =& $a;

This will give you the same object of class A anytime you access the page
with the same session. Note however that the session handler needs the
class definition to be able to reconstruct the saved object - only the
class name, and the instance data, gets stored in session data.

   >O     Ernest E. Vogelsinger
   (\)    ICQ #13394035

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to