[PHP] Problem with session on first page loaded
Hi all, I have an extrange problem with the session cookie: In all my pages there I have this two lines to start the session: session_name('jcwse'); session_start(); When I access my website, at any page, everytyhink works OK, and the session cookie is set with no problem except for links. In the fist page I aceess, all links are appended with the session ID. I mean that in every link, the ?jcwse=da22311212 ... is appended. This occurs just on the load of first page (not any else). If I reload the page, then links are formed correctly with no session ID (And sessions works perfect). This problem only arises on my ISP hosting (Linux+Apache 1.3) and does not show on my devel computer (Windows+Apache 2.0). I've been searching the manual, but found no explanation about that. Any help will be really welcome. Regards, Jordi. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Problem with session on first page loaded
shouldn't session_start() come first? also remember that your devel computer might have different settings in the PHP.ini file to that of your ISP, probably register_globals is set to off. I would check it. HTH Angelo Jordi Canals [EMAIL PROTECTED] 7/2/2004 11:14:28 AM Hi all, I have an extrange problem with the session cookie: In all my pages there I have this two lines to start the session: session_name('jcwse'); session_start(); When I access my website, at any page, everytyhink works OK, and the session cookie is set with no problem except for links. In the fist page I aceess, all links are appended with the session ID. I mean that in every link, the ?jcwse=da22311212 ... is appended. This occurs just on the load of first page (not any else). If I reload the page, then links are formed correctly with no session ID (And sessions works perfect). This problem only arises on my ISP hosting (Linux+Apache 1.3) and does not show on my devel computer (Windows+Apache 2.0). I've been searching the manual, but found no explanation about that. Any help will be really welcome. Regards, Jordi. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Disclaimer This e-mail transmission contains confidential information, which is the property of the sender. The information in this e-mail or attachments thereto is intended for the attention and use only of the addressee. Should you have received this e-mail in error, please delete and destroy it and any attachments thereto immediately. Under no circumstances will the Cape Technikon or the sender of this e-mail be liable to any party for any direct, indirect, special or other consequential damages for any use of this e-mail. For the detailed e-mail disclaimer please refer to http://www.ctech.ac.za/polic or call +27 (0)21 460 3911 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Problem with session on first page loaded
Jordi Canals wrote: This problem only arises on my ISP hosting (Linux+Apache 1.3) and does not show on my devel computer (Windows+Apache 2.0). I've been searching the manual, but found no explanation about that. Sorry forgot it: The two platforms run PHP 4.3.7 Thanks again, Jordi. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Problem with session on first page loaded
Angelo, thanks for your comments. session_name must go before session_start. I think register_globals has nothing to do with session cookies. I always work with register_globals = off as recommended. About the cookie params (In PHP.INI) I checked them on the two platforms with phpinfo() and are exactly the same. I'm relly lost with this issue. It is not a browser problem, because browsers are accepting (and saving) the cookies. I tested it with Firefox, MSIE and Mozilla, and always have the same issue. Why the first page loaded, and only the first one, passes the session ID on the URL? I think perhaps could be something related with the system trying to read the cookie on the same page that first created it. But don't find a way to solve it. Thanks for your time, Jordi. Angelo binc2 wrote: shouldn't session_start() come first? also remember that your devel computer might have different settings in the PHP.ini file to that of your ISP, probably register_globals is set to off. I would check it. HTH Angelo Jordi Canals [EMAIL PROTECTED] 7/2/2004 11:14:28 AM session_name('jcwse'); session_start(); -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Problem with session on first page loaded
Jordi Canals wrote: Angelo, thanks for your comments. session_name must go before session_start. I think register_globals has nothing to do with session cookies. I always work with register_globals = off as recommended. About the cookie params (In PHP.INI) I checked them on the two platforms with phpinfo() and are exactly the same. I'm relly lost with this issue. It is not a browser problem, because browsers are accepting (and saving) the cookies. I tested it with Firefox, MSIE and Mozilla, and always have the same issue. Why the first page loaded, and only the first one, passes the session ID on the URL? I think perhaps could be something related with the system trying to read the cookie on the same page that first created it. But don't find a way to solve it. Thanks for your time, Jordi. Was your binary compiled with --enable-trans-sid? If so, I imagine the explanation would be something along the lines that because the session manager doesn't know whether you have cookies enabled until it gets a cookie back, it uses trans_sid. On the second page view, it gets a cookie, and starts using cookies instead. No research went into this; it's just a guess. ;) Torben -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Problem with session on first page loaded
Lars Torben Wilson wrote: About the cookie params (In PHP.INI) I checked them on the two platforms with phpinfo() and are exactly the same. Was your binary compiled with --enable-trans-sid? If so, I imagine the explanation would be something along the lines that because the session manager doesn't know whether you have cookies enabled until it gets a cookie back, it uses trans_sid. On the second page view, it gets a cookie, and starts using cookies instead. Thanks Torben, The binary is not compiled with --enable-trans-sid. But I've seen that the ISP changed a param in the PHP.INI, and they changed session.use_trans_sid setting it to 1. I tested setting it on my devel computer and really now the problem reproduces here :) So I think this could be really the problem. Now I should talk to the provider to not set this parameter to ON by default, because the security risk on it (As stated on the manuals). On the sessions manuals, says that this parameter can only be set on PHP_INI_SYSTEM and PHP_INI_PERDIR, but in the ini_set() manual says it can be set in PHP_INI_ALL. I think the first is correct and the second is not as I tried setting it with ini_set with no result. I cannot understand this change from the provider as it is a security risk as the comments in PHP.INI says: ; trans sid support is disabled by default. ; Use of trans sid may risk your users security. ; Use this option with caution. ; - User may send URL contains active session ID ; to other person via. email/irc/etc. ; - URL that contains active session ID may be stored ; in publically accessible computer. ; - User may access your site with the same session ID ; always using URL stored in browser's history or bookmarks. Thanks for your valuable help. Now *I've seen where the problem is*, and I can look for a solution. Regards, Jordi. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Problem with session on first page loaded
Jordi Canals wrote: the ISP changed a param in the PHP.INI, and they changed session.use_trans_sid setting it to 1. [...] Now I should talk to the provider to not set this parameter to ON by default, because the security risk on it (As stated on the manuals). If they allow you to use .htaccess files, you can create one at the root of your application with the following: php_flag session.use_trans_sid off -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php