RE: [PHP] url rewriting within sessions - confused newbie needs h elp
On 11 December 2003 19:58, Peter Walter wrote: I hope you mean session_start(). Yes, I did. Getting a bit dyslexic nowadays. Well, you would, because PHP would use the value from the PHPSESSID= URL parameter. ... except that on the second call, the url (as displayed by the browser) does not contain the PHPSESSID parameter, yet I am still able to retrieve the session variables correctly ... Well, that seems right (and is different from your previous explanation). Go back and read my original description of the process -- especially steps 5 and 6. Once PHP knows that your browser is accepting cookies, it stops appending the PHPSESSID= URL parameters, and the cookie takes over the job. Cheers! Mike - Mike Ford, Electronic Information Services Adviser, Learning Support Services, Learning Information Services, JG125, James Graham Building, Leeds Metropolitan University, Beckett Park, LEEDS, LS6 3QS, United Kingdom Email: [EMAIL PROTECTED] Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] url rewriting within sessions - confused newbie needs h elp
On 11 December 2003 16:54, Peter Walter wrote: Jason, Thanks for your help. It is a little clearer to me now. However, I have visited php sites that *claim* to be using session management but where the links do not have the session id appended, and there are no variables being passed in the url for links. The url is always in the form www.somesite.com/index.php or just www.somesite.com. In these cases, how is the url rewriting being suppressed for the links on the page? I simply want to understand the technique. If url rewriting (session.use_trans_sid) is enabled, and your browser is accepting cookies, then the sequence of events goes like this: 1. First request to your site -- browser has no cookie set, so cannot send it. 2. PHP responds with a page, including a header to set the PHPSESSID cookie; because, at this stage, PHP has no idea whether your browser will accept cookies, it also rewrites all URLs contained in the page to include a PHPSESSID= parameter. 3. Your browser displays the page, and sets the cookie. 4. You click a link to get the next page -- in addition to sending a request for the URL containing the PHPSESSID= parameter, your browser also sends the newly-set PHPSESSID cookie. 5. PHP responds with the new page, but, because it has received the PHPSESSID cookie in the previous step it now knows your browser is accepting cookies and does not bother to do any URL rewriting. 6. None of the URLs in the new page have the PHPSESSID= parameter appended -- transmission of the session id is now solely via the PHPSESSID cookie. Various things can influence this behaviour: - If your browser is not accepting cookies, URL rewriting will always occur and you will continue to see PHPSESSID= parameters appended. - If session.use_trans_sid is not set, PHP will do no URL rewriting but will attempt to use cookies (if enabled) -- if your browser doesn't accept cookies, sessions will fail to work (unless you manually append PHPSESSID= parameters where needed -- the SID built-in constant is provided for this). - If session.use_cookies is not set, PHP will not even attempt to use a cookie for the session id. - If session.use_only_cookies is set, PHP will use *only* cookies to store the session id -- again, if your browser is not accepting cookies, sessions will not work. As you can see, there are many ways of setting this up, with a few subtle nuances -- and some of the combinations don't actually make much sense (use_trans_sid=1 and use_only_cookies=1, for instance). Note that you *can* set it up so that PHP does no automatic PHPSESSID setting at all (use_trans_sid=0 and use_cookies=0) -- then it's up to you to manually append the PHPSESSID= parameter to all appropriate URLs. Cheers! Mike - Mike Ford, Electronic Information Services Adviser, Learning Support Services, Learning Information Services, JG125, James Graham Building, Leeds Metropolitan University, Beckett Park, LEEDS, LS6 3QS, United Kingdom Email: [EMAIL PROTECTED] Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] url rewriting within sessions - confused newbie needs h elp
Mike, Thanks for the additional explanation, and I understand the sequence of events as you described. However, please bear with me a bit - the results I am getting do not quite match your explanation. Let me clarify what I am doing: I have a page (index.php) which starts out by calling start_session(), then emits some html code containing some form variables for search criteria. After the form variables, I have a submit button that refers to index.php. Following that, I have php logic that extracts the search criteria (if set) from $HTTP_POST_VARS, performs a MySQL query, then creates a table of results (if any); one of the table entries contains a a href= link to determine which row the user selected. The first time I load the page, I assume the session is created by start_session(), and the cookie is sent to the browser. When I click on the submit button, the page is reloaded - I assume with the session active - as per your explanation. According tho the documentation I have read, the second time the page is loaded, start_session() will simply reuse the existing session parameters. At this point, the browser should already have the cookie - if it did not, I would not be able to retrieve the session variables - but the url links in the table are still rewritten. I do not understand why. Being new to the stateless paradigm of web applications, and to php, I feel a bit nervous about coding when I do not quite grasp what is going on. Peter Ford, Mike [LSS] wrote: On 11 December 2003 16:54, Peter Walter wrote: Jason, Thanks for your help. It is a little clearer to me now. However, I have visited php sites that *claim* to be using session management but where the links do not have the session id appended, and there are no variables being passed in the url for links. The url is always in the form www.somesite.com/index.php or just www.somesite.com. In these cases, how is the url rewriting being suppressed for the links on the page? I simply want to understand the technique. If url rewriting (session.use_trans_sid) is enabled, and your browser is accepting cookies, then the sequence of events goes like this: 1. First request to your site -- browser has no cookie set, so cannot send it. 2. PHP responds with a page, including a header to set the PHPSESSID cookie; because, at this stage, PHP has no idea whether your browser will accept cookies, it also rewrites all URLs contained in the page to include a PHPSESSID= parameter. 3. Your browser displays the page, and sets the cookie. 4. You click a link to get the next page -- in addition to sending a request for the URL containing the PHPSESSID= parameter, your browser also sends the newly-set PHPSESSID cookie. 5. PHP responds with the new page, but, because it has received the PHPSESSID cookie in the previous step it now knows your browser is accepting cookies and does not bother to do any URL rewriting. 6. None of the URLs in the new page have the PHPSESSID= parameter appended -- transmission of the session id is now solely via the PHPSESSID cookie. Various things can influence this behaviour: - If your browser is not accepting cookies, URL rewriting will always occur and you will continue to see PHPSESSID= parameters appended. - If session.use_trans_sid is not set, PHP will do no URL rewriting but will attempt to use cookies (if enabled) -- if your browser doesn't accept cookies, sessions will fail to work (unless you manually append PHPSESSID= parameters where needed -- the SID built-in constant is provided for this). - If session.use_cookies is not set, PHP will not even attempt to use a cookie for the session id. - If session.use_only_cookies is set, PHP will use *only* cookies to store the session id -- again, if your browser is not accepting cookies, sessions will not work. As you can see, there are many ways of setting this up, with a few subtle nuances -- and some of the combinations don't actually make much sense (use_trans_sid=1 and use_only_cookies=1, for instance). Note that you *can* set it up so that PHP does no automatic PHPSESSID setting at all (use_trans_sid=0 and use_cookies=0) -- then it's up to you to manually append the PHPSESSID= parameter to all appropriate URLs. Cheers! Mike - Mike Ford, Electronic Information Services Adviser, Learning Support Services, Learning Information Services, JG125, James Graham Building, Leeds Metropolitan University, Beckett Park, LEEDS, LS6 3QS, United Kingdom Email: [EMAIL PROTECTED] Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211
RE: [PHP] url rewriting within sessions - confused newbie needs h elp
On 11 December 2003 18:01, Peter Walter wrote: Mike, Thanks for the additional explanation, and I understand the sequence of events as you described. However, please bear with me a bit - the results I am getting do not quite match your explanation. Let me clarify what I am doing: I have a page (index.php) which starts out by calling start_session(), I hope you mean session_start(). then emits some html code containing some form variables for search criteria. After the form variables, I have a submit button that refers to index.php. Following that, I have php logic that extracts the search criteria (if set) from $HTTP_POST_VARS, performs a MySQL query, then creates a table of results (if any); one of the table entries contains a a href= link to determine which row the user selected. The first time I load the page, I assume the session is created by start_session(), and the cookie is sent to the browser. When I click on the submit button, the page is reloaded - I assume with the session active - as per your explanation. According tho the documentation I have read, the second time the page is loaded, start_session() will simply reuse the existing session parameters. At this point, the browser should already have the cookie - if it did not, I would not be able to retrieve the session variables Well, you would, because PHP would use the value from the PHPSESSID= URL parameter. - but the url links in the table are still rewritten. I do not understand why. My immediate reaction to this is that session.use_cookies must be set to 0 (or Off) in your php.ini (or equivalent). Have you checked this? If it looks correct, what does a phpinfo() page show? Cheers! Mike - Mike Ford, Electronic Information Services Adviser, Learning Support Services, Learning Information Services, JG125, James Graham Building, Leeds Metropolitan University, Beckett Park, LEEDS, LS6 3QS, United Kingdom Email: [EMAIL PROTECTED] Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
