Re: [PHP] Re: Trying to make my session code smarter
On Wednesday 17 December 2003 01:33 am, Justin Patrin wrote: You can turn on URL rewriting for sessions. I'm not sure where it is just nowjust search the PHP docs. Yes I know about this feature. Unfortunately, its an insecure feature. http://us2.php.net/manual/en/ref.session.php http://us2.php.net/manual/en/ install.configure.php#install.configure.enable-trans-sid Any other ideas??? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Trying to make my session code smarter
--- Gerard Samuel [EMAIL PROTECTED] wrote: On Wednesday 17 December 2003 01:33 am, Justin Patrin wrote: You can turn on URL rewriting for sessions. I'm not sure where it is just nowjust search the PHP docs. Yes I know about this feature. Unfortunately, its an insecure feature. You can use GET data, POST data, or cookies. Since these users opt to not use cookies, and you seem to not want to use GET data, I suppose passing the information via POST is the only option left. :-) Hope that helps. Chris = Chris Shiflett - http://shiflett.org/ PHP Security Handbook Coming mid-2004 HTTP Developer's Handbook http://httphandbook.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Trying to make my session code smarter
On Wednesday 17 December 2003 11:58 am, Chris Shiflett wrote: You can use GET data, POST data, or cookies. Since these users opt to not use cookies, and you seem to not want to use GET data, I suppose passing the information via POST is the only option left. :-) Its not that I dont want to use GET, Im just heeding the warning about its insecurities from the manual. The code Im writing, is meant for others to use, and may not have access to ini directives. But from what I've read in the archives (http:// marc.theaimsgroup.com/?l=php-generalm=107116421414558w=2), that something may be doable within my code. Ill let it sit on the brain for a bit, and see what needs to be done, where I can safely use the url rewriting feature, for this small pecentage of users... Thanks -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Trying to make my session code smarter
--- Gerard Samuel [EMAIL PROTECTED] wrote: Its not that I dont want to use GET, Im just heeding the warning about its insecurities from the manual. The code Im writing, is meant for others to use, and may not have access to ini directives. But from what I've read in the archives (http://marc.theaimsgroup.com/?l=php-generalm=107116421414558w=2), that something may be doable within my code. Ill let it sit on the brain for a bit, and see what needs to be done, where I can safely use the url rewriting feature, for this small pecentage of users... There is an article on session security in PHP Magazine's free PDF: http://www.phpmag.net/ssl/phppdf/ Hope that helps. Chris = Chris Shiflett - http://shiflett.org/ PHP Security Handbook Coming mid-2004 HTTP Developer's Handbook http://httphandbook.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Trying to make my session code smarter
Gerard Samuel wrote: Currently in my code, if a user is blocking cookies (for what ever reason that may be), it keeps generating session ids for each page load. Is there a way to ignore and/or work around these users?? Thanks You can turn on URL rewriting for sessions. I'm not sure where it is just nowjust search the PHP docs. -- paperCrane Justin Patrin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php