At 08:47 24.11.2002, Jean-Christian Imbeault said:
--------------------[snip]--------------------
>Ernest E Vogelsinger wrote:
> >
>> if ($_COOKIE[$_SESSION['cookie_name']] == $_SESSION['cookie_token']) {
>
>Ok, please forgive my ignorance, but in PHP isn't $_COOKIES the same as
>$_SESSION?. I thought it was if the user had cookies turned off (and
>even if the user had cookies turned on come to think of it) ... If not
>I'm in trouble.
>
>I was always under the impression that $_SESSION vars were passed as
>cookies ...
--------------------[snip]--------------------
No, that's a misunderstanding. Session var's are never passed to and from
the client, only the session _name_ is passed, either via a cookie
(PHPSESSIONID) or via trans-sid href encoding.
Session vars are kept server-side in session storage, which is (by default)
a file located in the directory where session.save_path is pointing to. The
default file name is sess_<session-identifier>. The client only transmits
the session identifier so the server is able to correlate a session to a
particular request.
What I did for this particular application was to extend the system with a
cookie that's programmatically sent, using a random cookie name and a
random cookie content. Thus I am able to distinguish between multiple
logical sessions using the same session identifier, a scenario that could
happen when a URL containing a trans-sid has been bookmarked or transfered,
or when the client had opened a new window within the same session and
continued in "split mode".
Whatever the client passes to PHP as a cookie you can access in the
$_COOKIES array. Whatever PHP has stored in session storage can be accessed
in the $_SESSION array. They are quite different.
--
>O Ernest E. Vogelsinger
(\) ICQ #13394035
^ http://www.vogelsinger.at/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
