Re: [PHP] PHPSESSID used sporatically
On Wed, August 16, 2006 8:44 pm, Michael B Allen wrote: Searching through the logs and browsing my site (see sig) I sometimes see PHPSESSID is used as opposed to cookies. I know it's not simply that the client doesn't support cookies because I can see the same IP transition to and from using PHPSESSID. Can someone explain why this is happening? Your assumption that the same IP is the same session is one explanation... IP in general is useless for identification, much less authentication. Unless you KNOW those specific IPs are static, and only used by one person on one browser, then you need to do much more research to see if people really are switching from Cookie to PHPSESSID (presumably via GET). A simple error_log in your script should get you started: error_log(session_id() . $_COOKIE[PHPSESSID] $_GET[PHPSESSID]); -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHPSESSID used sporatically
On Wed, August 16, 2006 10:56 pm, Michael B Allen wrote: On Thu, 17 Aug 2006 12:06:08 +1000 Chris [EMAIL PROTECTED] wrote: Michael B Allen wrote: Searching through the logs and browsing my site (see sig) I sometimes see PHPSESSID is used as opposed to cookies. I know it's not simply that the client doesn't support cookies because I can see the same IP transition to and from using PHPSESSID. Can someone explain why this is happening? Is session.use_trans_sid switched on? Yes. It is. After reading about it I can't quite see what benifit it provides. Should I just turn it off? If your userbase has been convinced by the idiot Media that Cookies are Evil, you should just leave it on. If you think COOKIES are somehow safer than GET args for data transmission, turn it off. [*] * Based on your Active Directory post, I'll assume you know COOKIE is as amenable to sniffing as GET, and that the only potential differenes are: 1. Users seldom export and forward Cookies, but often send URLs to their friends. 2. The dumbest of the dumb can munge a URL. Altering a Cookie require poking around in the Options... in current browsers, or editing text files in older browsers. 3. Cookies can be set to be transmitted ONLY via SSL, which is good. 4. In PHP 5, with browsers that support it, Cookies can be sent only over HTTP... Though any Real Hacker (tm) could work around this anyway, so it seems kinda pointless to me... -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHPSESSID used sporatically
On Thu, 17 Aug 2006 14:26:17 +1000 Chris [EMAIL PROTECTED] wrote: Michael B Allen wrote: On Thu, 17 Aug 2006 12:06:08 +1000 Chris [EMAIL PROTECTED] wrote: Michael B Allen wrote: Searching through the logs and browsing my site (see sig) I sometimes see PHPSESSID is used as opposed to cookies. I know it's not simply that the client doesn't support cookies because I can see the same IP transition to and from using PHPSESSID. Can someone explain why this is happening? Is session.use_trans_sid switched on? Yes. It is. After reading about it I can't quite see what benifit it provides. Should I just turn it off? It depends on your site. If you do something like this for a search: snip I could send someone a url with the sessionid on the end of it, and it won't have to do the bit in the middle, it will be able to jump right to the end (the foreach loop). I'm not doing anything like that. Sessions are only used to prevent duplicate form invokations. But my boilerplate code calls session_start for all .php pages. I suppose I should be more selective to make things a little more efficient. But I'm still confuse. Why aren't cookies alone sufficient to satisfy the session code? Is PHPSESSID used because of some kind of transition from a PHP page that calls session_start to a page that does not? Does session.use_trans_sid simply enable the PHPSESSID in URLs or does it have a deeper semantic? The URLs for the tabs my site are not dynamically generated and yet they're being rewritten. Is that PHP or Apache doing that? Mike -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHPSESSID used sporatically
On Thu, 17 Aug 2006 12:06:08 +1000 Chris [EMAIL PROTECTED] wrote: Michael B Allen wrote: Searching through the logs and browsing my site (see sig) I sometimes see PHPSESSID is used as opposed to cookies. I know it's not simply that the client doesn't support cookies because I can see the same IP transition to and from using PHPSESSID. Can someone explain why this is happening? Is session.use_trans_sid switched on? Yes. It is. After reading about it I can't quite see what benifit it provides. Should I just turn it off? Mike -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] PHPSESSID used sporatically
Searching through the logs and browsing my site (see sig) I sometimes see PHPSESSID is used as opposed to cookies. I know it's not simply that the client doesn't support cookies because I can see the same IP transition to and from using PHPSESSID. Can someone explain why this is happening? I'm using PHP 4. Thanks, Mike -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHPSESSID used sporatically
Michael B Allen wrote: Searching through the logs and browsing my site (see sig) I sometimes see PHPSESSID is used as opposed to cookies. I know it's not simply that the client doesn't support cookies because I can see the same IP transition to and from using PHPSESSID. Can someone explain why this is happening? Is session.use_trans_sid switched on? (Check a phpinfo page). -- Postgresql php tutorials http://www.designmagick.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHPSESSID used sporatically
Michael B Allen wrote:
On Thu, 17 Aug 2006 12:06:08 +1000
Chris [EMAIL PROTECTED] wrote:
Michael B Allen wrote:
Searching through the logs and browsing my site (see sig) I sometimes see
PHPSESSID is used as opposed to cookies. I know it's not simply that the
client doesn't support cookies because I can see the same IP transition
to and from using PHPSESSID. Can someone explain why this is happening?
Is session.use_trans_sid switched on?
Yes. It is. After reading about it I can't quite see what benifit it
provides. Should I just turn it off?
It depends on your site.
If you do something like this for a search:
?php
...
if (!isset($_SESSION['SearchResults']) ||
empty($_SESSION['SearchResults'])) {
..
$result = $db-query($search_query);
$search_results = array();
while($row = $db-fetch($result)) {
$search_results[] = $row;
}
$_SESSION['SearchResults'] = $search_results;
}
foreach($_SESSION['SearchResults'] as $k = $details) {
}
I could send someone a url with the sessionid on the end of it, and it
won't have to do the bit in the middle, it will be able to jump right to
the end (the foreach loop).
If you don't do something like that, then you probably don't need the
trans_sid on.
so it depends on your site and your code.
--
Postgresql php tutorials
http://www.designmagick.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
