RE: [PHP] Re: session cookies enabled?

[Ford, Mike]

On 09 May 2007 16:36, [EMAIL PROTECTED] wrote:

 Ford, Mike writes:
 
You can also set up php.ini and use the built-in sessions with
http://php.net/session_start so that PHP will take care of this
for you.
   
   That is what I was intending to do.  How do I find out if
   whether or not the session cookie was accepted using the
   built-in sessions? I found no function for such a test.
  
  Check the SID constant after you've done session_start(). If it has
  an empty value, the session is using cookies; otherwise, it'll have
  a value of the form 'sessionname=sessionid', which is what is
  appended to the URL (or inserted in forms as a hidden value) to
  propagate the session-id.
 
 Interesting idea.
 
 This brings up a question.  In order to decide whether to use cookies
 or SID the built-in sessions must be testing to see if the user's
 browser will accept the session cookies.  How do they do that?

By sending it out and checking to see whether it comes back on the next page.

Assuming your setup is:

session.use_cookies = On
session.use_only_cookies = Off
session.use_trans_sid = On

Then the sequence is this:

1. The first page involving a session will *both* send the cookie *and* append 
the SID to URLs in the page.

2. So the next page request will return the SID, and if cookies are enabled 
also the cookie.

3. On starting the session for this page, PHP will first look for the cookie: 
if it's present, its value will be used and SID defined as empty; if not, the 
browser must not be accepting cookies, so the value from the URL query string 
is used and SID is defined with the matching string.

4. PHP now knows whether cookies are in use *for this request*, and *either* 
sends the cookie *or* appends the SID to URLs in the page.

5. Requests from this page will thus *either* return the cookie *or* include 
the SID as a URL get parameter.

6. Go back to 3.

Note that with this setup, you will *always* get at least one request with the 
SID in the URL.  Any site that doesn't do this has use_only_cookies turned on 
or/and use_trans_sid turned off.

 
 If they do it by the 2 page, send a cookie and see if it comes
 back to the second page method we have been talking about, then
 somehow, they are sureptiously inserting a forward to a non-
 existant page!  Right?  How do they do that?

No, see above: they simply wait for the next regular page request to come in 
and see if the cookie came with it. Nothing surreptitious or super-clever.

Cheers!

Mike

-
Mike Ford,  Electronic Information Services Adviser,
JG125, The Headingley Library,
James Graham Building, Leeds Metropolitan University,
Headingley Campus, LEEDS,  LS6 3QS,  United Kingdom
Email: [EMAIL PROTECTED]
Tel: +44 113 812 4730  Fax:  +44 113 812 3211 


To view the terms under which this email is distributed, please go to 
http://disclaimer.leedsmet.ac.uk/email.htm

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Re: session cookies enabled?

[ccspencer]

Mike, 

Thanks for the super clear explanation. 

This brings up a question.  In order to decide whether to use 
cookies or SID the built-in sessions must be testing to see if 
the user's browser will accept the session cookies.  How do 
they do that?


By sending it out and checking to see whether it comes back on 
the next page.


... 


That being the case I can never find out (using the built-in
sessions) until the second page request and it will always
include the session cookie in the URL.  Which means the value
of the seesion cookie will be exposed, even if I am using SSL. 

:(  Back to the drawing board... 

Best, 

Craig 



--
- Virtual Phonecards - Instant Pin by Email  -
-   Large Selection - Great Rates-
- http://speedypin.com/?aff=743co_branded=1 -
-- 



**
**
*  Craig Spencer *
*  [EMAIL PROTECTED]*
**
** 


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Re: session cookies enabled?

[Richard Davey]

[EMAIL PROTECTED] wrote:


That being the case I can never find out (using the built-in
sessions) until the second page request and it will always
include the session cookie in the URL.  Which means the value
of the seesion cookie will be exposed, even if I am using SSL.
:(  Back to the drawing board...


While using TRANS IDs are ugly, they will show no more or less 
information to the user than a session cookie contains. Most browsers 
have built-in support for viewing cookie contents these days. Doing so 
will show your PHP Session ID clearly. Trans IDs are no different, just 
more 'obvious' being in the URL and all. The actual data displayed is 
the same however.


Cheers,

Rich


--
Zend Certified Engineer
http://www.corephp.co.uk

Never trust a computer you can't throw out of a window

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Re: session cookies enabled?

[Edward Vermillion]

On May 10, 2007, at 11:40 AM, Richard Davey wrote:


[EMAIL PROTECTED] wrote:


That being the case I can never find out (using the built-in
sessions) until the second page request and it will always
include the session cookie in the URL.  Which means the value
of the seesion cookie will be exposed, even if I am using SSL.
:(  Back to the drawing board...


While using TRANS IDs are ugly, they will show no more or less  
information to the user than a session cookie contains. Most  
browsers have built-in support for viewing cookie contents these  
days. Doing so will show your PHP Session ID clearly. Trans IDs are  
no different, just more 'obvious' being in the URL and all. The  
actual data displayed is the same however.




And the session id is open to being stored in a bookmark or worse,  
sent to someone else through a cut and paste of the URL.


Depending on what information that id controls and how long the  
sessions are kept around id's in the URL could be a very bad thing  
indeed.


Ed

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Re: session cookies enabled?

[Richard Davey]

Edward Vermillion wrote:

And the session id is open to being stored in a bookmark or worse, sent 
to someone else through a cut and paste of the URL.


Depending on what information that id controls and how long the sessions 
are kept around id's in the URL could be a very bad thing indeed.


Agreed (depending entirely on how your app was written), my point was 
simply that a trans ID will never give away anything more than a cookie 
does. In that respect, they're identical.


Cheers,

Rich
--
Zend Certified Engineer
http://www.corephp.co.uk

Never trust a computer you can't throw out of a window

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Re: session cookies enabled?

[Ford, Mike]

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
 Sent: 08 May 2007 20:57

  You can also set up php.ini and use the built-in sessions with 
  http://php.net/session_start so that PHP will take care of this for 
  you.
 
 That is what I was intending to do.  How do I find out if 
 whether or not the session cookie was accepted using the 
 built-in sessions? I found no function for such a test. 

Check the SID constant after you've done session_start(). If it has an
empty value, the session is using cookies; otherwise, it'll have a value
of the form 'sessionname=sessionid', which is what is appended to the
URL (or inserted in forms as a hidden value) to propagate the
session-id.

Cheers!

Mike
 


Mike Ford, Electronic Information Services Adviser,
JG125, The Headingley Library, James Graham Building,
Headingley Campus, Beckett Park, LEEDS, LS6 3QS
United Kingdom
Tel: +44 113 812 4730 Fax: +44 113 812 3211


To view the terms under which this email is distributed, please go to 
http://disclaimer.leedsmet.ac.uk/email.htm

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Re: session cookies enabled?

[ccspencer]

Ford, Mike writes: 

 You can also set up php.ini and use the built-in sessions with 
 http://php.net/session_start so that PHP will take care of this for 
 you. 

That is what I was intending to do.  How do I find out if 
whether or not the session cookie was accepted using the 
built-in sessions? I found no function for such a test. 


Check the SID constant after you've done session_start(). If it has an
empty value, the session is using cookies; otherwise, it'll have a value
of the form 'sessionname=sessionid', which is what is appended to the
URL (or inserted in forms as a hidden value) to propagate the
session-id.


Interesting idea. 


This brings up a question.  In order to decide whether to use cookies
or SID the built-in sessions must be testing to see if the user's
browser will accept the session cookies.  How do they do that? 


If they do it by the 2 page, send a cookie and see if it comes
back to the second page method we have been talking about, then
somehow, they are sureptiously inserting a forward to a non-
existant page!  Right?  How do they do that? 

Best, 

Craig 



--
- Virtual Phonecards - Instant Pin by Email  -
-   Large Selection - Great Rates-
- http://speedypin.com/?aff=743co_branded=1 -
-- 



**
**
*  Craig Spencer *
*  [EMAIL PROTECTED]*
**
** 


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Re: session cookies enabled?

[Richard Lynch]

On Wed, May 9, 2007 10:36 am, [EMAIL PROTECTED] wrote:
 This brings up a question.  In order to decide whether to use cookies
 or SID the built-in sessions must be testing to see if the user's
 browser will accept the session cookies.  How do they do that?

The same way you would do it.

Actually, they might have just used:

$cookie_name = session_name();
if (isset($_COOKIE[$cookie_name])){
  $session_id = $_COOKIE[$cookie_name];
}
elseif (isset($_REQUEST[$cookie_name])){
  $session_id = $_REQUEST[$cookie_name];
}
else{
  $session_id = uniquid();
}

 If they do it by the 2 page, send a cookie and see if it comes
 back to the second page method we have been talking about, then
 somehow, they are sureptiously inserting a forward to a non-
 existant page!  Right?  How do they do that?


No, that's not how it works.

JUST send the dang cookie on every page.

And check if it's there on every page.

And whatever first page the user gets to, with no cookie, be sure you
send them suitable content for having no cookie.

-- 
Some people have a gift link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Re: session cookies enabled?

[ccspencer]

Richard Lynch writes: 


How does one check to see if the user's browser accepts
session cookies?


Apparently I should have said cookie and left off the 's' as
that is what I had in mind. 

Send one cookie, see if it comes back, and if it does, tie 
everything to that cookie.


OK.  So how do I see if it comes back? 


I send the user a page that tries to set a session cookie.  That
page would then have to forward him to a second page which would
check for the cookie being sent.  Right? 

So I there is nothing I can check so I can do it with a single page? 


You can also set up php.ini and use the built-in sessions with
http://php.net/session_start so that PHP will take care of this 
for you.


That is what I was intending to do.  How do I find out if whether
or not the session cookie was accepted using the built-in sessions?
I found no function for such a test. 

Best, 

Craig 




--
- Virtual Phonecards - Instant Pin by Email  -
-   Large Selection - Great Rates-
- http://speedypin.com/?aff=743co_branded=1 -
-- 



**
**
*  Craig Spencer *
*  [EMAIL PROTECTED]*
**
** 


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Re: session cookies enabled?

[itoctopus]

setcookie(cookie_name, value);
//redirect to another page using header
header(location:.$your_url);

//check in $your_url for the presence for the cookie
if ($_COOKIE[cookie_name] == value){
//cookies are enabled - add your code
}
else{
//cookies are disabled - add your code
}

Hope that helps!


-- 
itoctopus - http://www.itoctopus.com
[EMAIL PROTECTED] wrote in message 
news:[EMAIL PROTECTED]
 Richard Lynch writes:
 How does one check to see if the user's browser accepts
 session cookies?

 Apparently I should have said cookie and left off the 's' as
 that is what I had in mind.
 Send one cookie, see if it comes back, and if it does, tie everything to 
 that cookie.

 OK.  So how do I see if it comes back?
 I send the user a page that tries to set a session cookie.  That
 page would then have to forward him to a second page which would
 check for the cookie being sent.  Right?
 So I there is nothing I can check so I can do it with a single page?
 You can also set up php.ini and use the built-in sessions with
 http://php.net/session_start so that PHP will take care of this for you.

 That is what I was intending to do.  How do I find out if whether
 or not the session cookie was accepted using the built-in sessions?
 I found no function for such a test.
 Best,
 Craig


 --
 - Virtual Phonecards - Instant Pin by Email  -
 -   Large Selection - Great Rates-
 - http://speedypin.com/?aff=743co_branded=1 -
 -- 


 **
 **
 *  Craig Spencer *
 *  [EMAIL PROTECTED]*
 **
 ** 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Re: session cookies enabled?

[Richard Lynch]

On Tue, May 8, 2007 2:56 pm, [EMAIL PROTECTED] wrote:
 Richard Lynch writes:
 Send one cookie, see if it comes back, and if it does, tie
 everything to that cookie.

 OK.  So how do I see if it comes back?

if (isset($_COOKIE['foo'])){
  //cookie came back
}
else{
  //cookie did NOT come back
}

 I send the user a page that tries to set a session cookie.  That
 page would then have to forward him to a second page which would
 check for the cookie being sent.  Right?

Yes.

Send the cookie with the homepage, login page, or whatever they are
first going to see.

Don't show them anything they shouldn't see without the cookie.

Check if they have a cookie.

It's probably best to just do all this in an include file that you
pull in on any page that needs cookies.

You can even make the include file abort the rest of the page output
if you want to require them to login with a valid session before going
any further.

 So I there is nothing I can check so I can do it with a single page?

Oh.

No.

It does seem like that would be a Nifty thing for the browser to have
sent with the first request, but that's just not the way it works.

It's an inherent 2-request process.

HTTP Request - Reply with Cookie - HTTP Request with Cookie (or not)

You'd have to duke it out with Mozilla and Microsoft to get that to
change, and they probably aren't gonna want to send a
pre-acceptane-of-cookie letter of intent with every HTTP requrest...

Especially not when the vast majority of HTTP requests don't need
cookies anyway...  Well, I never did a statistical analysis of that,
but across the 'net as  whole?  Yeah, I think it's a pretty safe
statement...

 You can also set up php.ini and use the built-in sessions with
 http://php.net/session_start so that PHP will take care of this
 for you.

 That is what I was intending to do.  How do I find out if whether
 or not the session cookie was accepted using the built-in sessions?

You don't.

You turn on the Cookies and the trans_sid in php.ini, and let PHP
worry about whether it was cookies or not and re-write your URLs if it
wasn't.

Or maybe it just re-writes them no matter what anyway, but prefers the
Cookie if it's there?

Whatever.

If, after doing that, you still feel the need to know if they used a
cookie or not, then you can use http://php.net/set_session_params and
choose a cookie/session name, and then you can test with:
if (isset($_COOKIE['whatever_you_chose_in_set_session_params'])){
}
and then you'll know if they used Cookies or Trans SID in URL...

But you won't really care, as all the info you need is in $_SESSION
either way, so it doesn't matter if they used a cookie or the ID in
the URL or sent a little squirrel along the wire with an engraved
acorn.

-- 
Some people have a gift link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Re: session cookies enabled?

[Richard Lynch]

On Tue, May 8, 2007 5:50 pm, itoctopus wrote:
 setcookie(cookie_name, value);
 //redirect to another page using header
 header(location:.$your_url);

This will fail on some legacy browsers, if you need legacy browser
support.

In *MOST* architectures, your visitor can be given the cookie on a
page before the cookie-needing page, or they can be given alternate
content (i.e., a login) until you are happy with whatever cookie (and
its implied state of existence) are presented.

-- 
Some people have a gift link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php