Re: [PHP-DEV] A couple of session issues
On 27 Aug 2001 01:33:46 +0300, Zeev Suraski wrote: The other issue is a suggestion I want to pitch - right now, if sessions are started after the headers are already sent, we'll get a nice headers-already-sent error. If we have trans_sid enabled (which we will most probably, from now on) - we can check whether the headers are already sent, and if they are, move to use trans_sid instead. Any comments? i tend not to do that. trans-sid is a very different thing from cookies (session id's are populated to foreign-sites via HTTP_REFERRER). i don't think we should default to it. developers should decide themself if they want trans-sid or not. re, tc -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DEV] A couple of session issues
At 13:40 27-08-01, Thies C. Arntzen wrote: On 27 Aug 2001 01:33:46 +0300, Zeev Suraski wrote: The other issue is a suggestion I want to pitch - right now, if sessions are started after the headers are already sent, we'll get a nice headers-already-sent error. If we have trans_sid enabled (which we will most probably, from now on) - we can check whether the headers are already sent, and if they are, move to use trans_sid instead. Any comments? i tend not to do that. trans-sid is a very different thing from cookies (session id's are populated to foreign-sites via HTTP_REFERRER). i don't think we should default to it. developers should decide themself if they want trans-sid or not. You lost your caps too? :) I'm not sure what you meant in the HTTP_REFERRER issue - can you explain it? At any rate, developers still can decide whether or not they want trans_sid, by using the existing php.ini setting. Zeev -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DEV] A couple of session issues
Hi Zeev! On Mon, 27 Aug 2001, Zeev Suraski wrote: At 13:40 27-08-01, Thies C. Arntzen wrote: On 27 Aug 2001 01:33:46 +0300, Zeev Suraski wrote: The other issue is a suggestion I want to pitch - right now, if sessions are started after the headers are already sent, we'll get a nice headers-already-sent error. If we have trans_sid enabled (which we will most probably, from now on) - we can check whether the headers are already sent, and if they are, move to use trans_sid instead. Any comments? i tend not to do that. trans-sid is a very different thing from cookies (session id's are populated to foreign-sites via HTTP_REFERRER). i don't think we should default to it. developers should decide themself if they want trans-sid or not. You lost your caps too? :) I'm not sure what you meant in the HTTP_REFERRER issue - can you explain I guess if I am in a page generated by http://www.example.com/foo/bar.php?SID=32x[0-f] and in this page, there is a link to www.foo.com/malicious.php malicious.php will see in HTTP_REFERER what is your SID. -- teodor -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DEV] A couple of session issues
On 27 Aug 2001 15:25:09 +0300, Zeev Suraski wrote: At 13:40 27-08-01, Thies C. Arntzen wrote: On 27 Aug 2001 01:33:46 +0300, Zeev Suraski wrote: The other issue is a suggestion I want to pitch - right now, if sessions are started after the headers are already sent, we'll get a nice headers-already-sent error. If we have trans_sid enabled (which we will most probably, from now on) - we can check whether the headers are already sent, and if they are, move to use trans_sid instead. Any comments? i tend not to do that. trans-sid is a very different thing from cookies (session id's are populated to foreign-sites via HTTP_REFERRER). i don't think we should default to it. developers should decide themself if they want trans-sid or not. You lost your caps too? :) some time ago already;-) didn't you notice? I'm not sure what you meant in the HTTP_REFERRER issue - can you explain it? At any rate, developers still can decide whether or not they want if you are on a site that uses trans-sid for sessions the HTTP_REFERER on the next visited site will contain your session-id. trans_sid, by using the existing php.ini setting. makes sense - i just don't want a new changed default behaviour of PHP. if i run a cookie based session and for some weird reason i have a stray character in one of my pages i do not want PHP to switch to trans-sid - i want to get notified (Headers already sent) and fix my bug. tc Zeev -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DEV] A couple of session issues
At 19:00 27-08-01, Thies C. Arntzen wrote: You lost your caps too? :) some time ago already;-) didn't you notice? No, I hadn't noticed. I'll help you look for them in November :) if you are on a site that uses trans-sid for sessions the HTTP_REFERER on the next visited site will contain your session-id. Ah, makes sense. That's indeed not a very cool thing. trans_sid, by using the existing php.ini setting. makes sense - i just don't want a new changed default behaviour of PHP. if i run a cookie based session and for some weird reason i have a stray character in one of my pages i do not want PHP to switch to trans-sid - i want to get notified (Headers already sent) and fix my bug. Well, you kind of convinced me that it's not a very good idea. The danger, combined with the fact that people won't expect this to happen, combined with the fact it's not a very 'clean' thing anyway, combined with the fact that trans_sid itself is on by default (it no longer requires --enable-trans-sid), this whole mess together sums up to 'not a very good idea'. Thanks for the info :) Zeev -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP-DEV] A couple of session issues
One thing I couldn't get to the bottom of is PS(define_sid) and the define_sid logic in php_session_start(). I understand the code, but I couldn't understand why we define SID in certain cases to contain valid data, and sometimes just an empty string. It's also being used in session_adapt_uris() later. The other issue is a suggestion I want to pitch - right now, if sessions are started after the headers are already sent, we'll get a nice headers-already-sent error. If we have trans_sid enabled (which we will most probably, from now on) - we can check whether the headers are already sent, and if they are, move to use trans_sid instead. Any comments? Zeev -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DEV] A couple of session issues
On Mon, Aug 27, 2001 at 01:33:46AM +0300, Zeev Suraski wrote: The other issue is a suggestion I want to pitch - right now, if sessions are started after the headers are already sent, we'll get a nice headers-already-sent error. If we have trans_sid enabled (which we will most probably, from now on) - we can check whether the headers are already sent, and if they are, move to use trans_sid instead. Any comments? I think that sounds reasonable, although the aforementioned error does indirectly enforce better coding and organization. Your proposed change should make things easier for developers, though. -- Jon Parise ([EMAIL PROTECTED]) . Rochester Inst. of Technology http://www.csh.rit.edu/~jon/ : Computer Science House Member -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]