Re: [PHP] session id changing all the time on some pc's
Zilvinas Saltys [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] On Fri, 2 Jul 2004 22:45:23 + Curt Zirzow [EMAIL PROTECTED] wrote: * Thus wrote Torsten Roehr: Zilvinas Saltys [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] The only thing i want to know is all the truth about IE (6?) and cookies :) Heeelp :) Sorry to say that but just DO NOT use cookies. You will always have problems with users having weird cookie settings in their browser. Cookies are fine for intranets where you know the infrastructure you are dealing with. Passing the session id via GET/POST may be ugly but makes you independent of the browser's cookie settings. I would strongly discourage trans_id with sessions that contain sensitive data. Yes it does contain sensitive data.. And those people cant work with that data because of IE... Those people have to travel from place to place. They can't use mozilla everywhere or change the IE settings or even to turn the zone alarm off... So what are your suggestions? Using trans sid is the only solution as i see now.. No matter how unsafe it is.. Or it looks or works ugly.. That is the problem :) Use SSL and if possible a Virtual Private Network (VPN). You can also call session_regenerate_id() after successful login: http://de.php.net/session_regenerate_id This adds a bit of additional security because the session id that might be public before the login will not be of any use to a potential attackerb because it will change after login. Don't use session.use_trans_sid = 1 because it won't work with form actions and some other elements. I recommend manually adding the session id to all your links, form actions and header(location) calls. Hope this helps a bit. Regards, Torsten -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] session id changing all the time on some pc's
Matthew Sims [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] No, this is exactly what I wanted to know. But it would contradict everything I experienced with sessions until now - and it does. I just tested your code (with session_start() also at the top of page2). It does not work because there is absolutely no relation between page1 and page2 with your code. In this case a new session is being started on page two. You have got to pass the session id from one page to another (when not using a cookie) otherwise it won't work and rightly so. Ah, you are so correct. My apologies. Without cookies turned on then the session id is different with each page. Bleh. Okay...so...ignore all that I said. :) So I guess $_GET is the only option...that sucks. Sorry dude. Hi Matthew, there's no reason to apaologize. I would have loved to see a non-cookie solution with transparent session id use. Regards, Torsten -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] session id changing all the time on some pc's
Torsten Roehr [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Zilvinas Saltys [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] On Fri, 2 Jul 2004 22:45:23 + Curt Zirzow [EMAIL PROTECTED] wrote: * Thus wrote Torsten Roehr: Zilvinas Saltys [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] The only thing i want to know is all the truth about IE (6?) and cookies :) Heeelp :) Sorry to say that but just DO NOT use cookies. You will always have problems with users having weird cookie settings in their browser. Cookies are fine for intranets where you know the infrastructure you are dealing with. Passing the session id via GET/POST may be ugly but makes you independent of the browser's cookie settings. I would strongly discourage trans_id with sessions that contain sensitive data. Yes it does contain sensitive data.. And those people cant work with that data because of IE... Those people have to travel from place to place. They can't use mozilla everywhere or change the IE settings or even to turn the zone alarm off... So what are your suggestions? Using trans sid is the only solution as i see now.. No matter how unsafe it is.. Or it looks or works ugly.. That is the problem :) Use SSL and if possible a Virtual Private Network (VPN). You can also call session_regenerate_id() after successful login: http://de.php.net/session_regenerate_id This adds a bit of additional security because the session id that might be public before the login will not be of any use to a potential attackerb because it will change after login. Don't use session.use_trans_sid = 1 because it won't work with form actions and some other elements. I recommend manually adding the session id to all your links, form actions and header(location) calls. Hope this helps a bit. Regards, Torsten One more thing. Store the user's browser id ($_SERVER['HTTP_USER_AGENT']) and/or his IP into the session and on each request compare the stored values to the current submitted values. Regards, Torsten -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] session id changing all the time on some pc's
On Friday 02 July 2004 12:12 pm, Zilvinas Saltys wrote: I looked at server configurations but i couldn't find anything usefull. I tried to change IE settings to accept all cookies but nothing changed. Maybe someone knows where's the problem.. I dont know of all the specifics of your situation, but I know when it happened to my code, it boiled down to a cookie problem. (I never experienced it first hand unless I turned off cookies in my own browser. I saw it was happening for other users on my code). So what I eventually did, was modified my code to work with browsers that do not store cookies (for what ever reason that may be). By that I mean to pass the session id in the url and in forms... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] session id changing all the time on some pc's
On Fri, 2 Jul 2004 12:21:34 -0400 Gerard Samuel [EMAIL PROTECTED] wrote: On Friday 02 July 2004 12:12 pm, Zilvinas Saltys wrote: I looked at server configurations but i couldn't find anything usefull. I tried to change IE settings to accept all cookies but nothing changed. Maybe someone knows where's the problem.. I dont know of all the specifics of your situation, but I know when it happened to my code, it boiled down to a cookie problem. (I never experienced it first hand unless I turned off cookies in my own browser. I saw it was happening for other users on my code). So what I eventually did, was modified my code to work with browsers that do not store cookies (for what ever reason that may be). By that I mean to pass the session id in the url and in forms... I know i can pass the session id by url.. But this solution is ugly and hopefully not the only one there is.. The problem is as i understand IE is not accepting the cookie. So the session id allways regenerates. Everything works fine with mozilla. The strangest part of the show is some pc's that have IE installed accepts those cookies. I turned 'accept ALL cookies'. Same result.. Maybe ... this could be a domain problem.. The only thing i want to know is all the truth about IE (6?) and cookies :) Heeelp :) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] session id changing all the time on some pc's
Zilvinas Saltys [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] On Fri, 2 Jul 2004 12:21:34 -0400 Gerard Samuel [EMAIL PROTECTED] wrote: On Friday 02 July 2004 12:12 pm, Zilvinas Saltys wrote: I looked at server configurations but i couldn't find anything usefull. I tried to change IE settings to accept all cookies but nothing changed. Maybe someone knows where's the problem.. I dont know of all the specifics of your situation, but I know when it happened to my code, it boiled down to a cookie problem. (I never experienced it first hand unless I turned off cookies in my own browser. I saw it was happening for other users on my code). So what I eventually did, was modified my code to work with browsers that do not store cookies (for what ever reason that may be). By that I mean to pass the session id in the url and in forms... I know i can pass the session id by url.. But this solution is ugly and hopefully not the only one there is.. The problem is as i understand IE is not accepting the cookie. So the session id allways regenerates. Everything works fine with mozilla. The strangest part of the show is some pc's that have IE installed accepts those cookies. I turned 'accept ALL cookies'. Same result.. Maybe ... this could be a domain problem.. The only thing i want to know is all the truth about IE (6?) and cookies :) Heeelp :) Sorry to say that but just DO NOT use cookies. You will always have problems with users having weird cookie settings in their browser. Cookies are fine for intranets where you know the infrastructure you are dealing with. Passing the session id via GET/POST may be ugly but makes you independent of the browser's cookie settings. Regards, Torsten Roehr -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] session id changing all the time on some pc's
Zilvinas Saltys wrote:
The problem is as i understand IE is not accepting the cookie. So the
session id allways regenerates. Everything works fine with mozilla.
[...]
The only thing i want to know is all the truth about IE (6?) and
cookies :)
Could it be a problem with IE6 and P3P (http://www.w3.org/P3P/)?
This is just hearsay, but a friend of mine told me about a problem he was having
with IE6 and cookies in his application. He had to send a P3P header before some
versions of IE would accept the cookie. I've read that P3P only applies to
persistant cookies, but his was temporary and was still not working until he added
this:
header('P3P: CP=NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM');
I have no first hand experience with this myself, and I haven't done the proper
research to become familiar with it. Make of this what you will. :) More
information here:
http://www.computercops.biz/modules.php?name=Newsfile=printsid=837
HTH
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] session id changing all the time on some pc's
Zilvinas Saltys [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] On Fri, 2 Jul 2004 12:21:34 -0400 Gerard Samuel [EMAIL PROTECTED] wrote: On Friday 02 July 2004 12:12 pm, Zilvinas Saltys wrote: I looked at server configurations but i couldn't find anything usefull. I tried to change IE settings to accept all cookies but nothing changed. Maybe someone knows where's the problem.. I dont know of all the specifics of your situation, but I know when it happened to my code, it boiled down to a cookie problem. (I never experienced it first hand unless I turned off cookies in my own browser. I saw it was happening for other users on my code). So what I eventually did, was modified my code to work with browsers that do not store cookies (for what ever reason that may be). By that I mean to pass the session id in the url and in forms... I know i can pass the session id by url.. But this solution is ugly and hopefully not the only one there is.. The problem is as i understand IE is not accepting the cookie. So the session id allways regenerates. Everything works fine with mozilla. The strangest part of the show is some pc's that have IE installed accepts those cookies. I turned 'accept ALL cookies'. Same result.. Maybe ... this could be a domain problem.. The only thing i want to know is all the truth about IE (6?) and cookies :) Heeelp :) Sorry to say that but just DO NOT use cookies. You will always have problems with users having weird cookie settings in their browser. Cookies are fine for intranets where you know the infrastructure you are dealing with. Passing the session id via GET/POST may be ugly but makes you independent of the browser's cookie settings. Regards, Torsten Roehr I can agree with this. I created an internal website for my company that requires login. And even then some users a restricted to certain areas of the website depending on their user level. Passing the $_SESSION variables around was just plain easier than setting up cookies. I also felt I had a greater control over the whole process from login to logout. Instead of passing the session_id through the URL ($_GET) just assign it to $_SESSION and pass that around. Then it'll stay transparent to the user. --Matthew Sims --http://killermookie.org -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] session id changing all the time on some pc's
Matthew Sims [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Zilvinas Saltys [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] On Fri, 2 Jul 2004 12:21:34 -0400 Gerard Samuel [EMAIL PROTECTED] wrote: On Friday 02 July 2004 12:12 pm, Zilvinas Saltys wrote: I looked at server configurations but i couldn't find anything usefull. I tried to change IE settings to accept all cookies but nothing changed. Maybe someone knows where's the problem.. I dont know of all the specifics of your situation, but I know when it happened to my code, it boiled down to a cookie problem. (I never experienced it first hand unless I turned off cookies in my own browser. I saw it was happening for other users on my code). So what I eventually did, was modified my code to work with browsers that do not store cookies (for what ever reason that may be). By that I mean to pass the session id in the url and in forms... I know i can pass the session id by url.. But this solution is ugly and hopefully not the only one there is.. The problem is as i understand IE is not accepting the cookie. So the session id allways regenerates. Everything works fine with mozilla. The strangest part of the show is some pc's that have IE installed accepts those cookies. I turned 'accept ALL cookies'. Same result.. Maybe ... this could be a domain problem.. The only thing i want to know is all the truth about IE (6?) and cookies :) Heeelp :) Sorry to say that but just DO NOT use cookies. You will always have problems with users having weird cookie settings in their browser. Cookies are fine for intranets where you know the infrastructure you are dealing with. Passing the session id via GET/POST may be ugly but makes you independent of the browser's cookie settings. Regards, Torsten Roehr I can agree with this. I created an internal website for my company that requires login. And even then some users a restricted to certain areas of the website depending on their user level. Passing the $_SESSION variables around was just plain easier than setting up cookies. I also felt I had a greater control over the whole process from login to logout. Instead of passing the session_id through the URL ($_GET) just assign it to $_SESSION and pass that around. Then it'll stay transparent to the user. Could you describe the last paragraph a bit more in detail? Thanks in advance! Torsten -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] session id changing all the time on some pc's
Instead of passing the session_id through the URL ($_GET) just assign it to $_SESSION and pass that around. Then it'll stay transparent to the user. Could you describe the last paragraph a bit more in detail? Thanks in advance! Torsten What if you used this? session_start(); $_SESSION['sid']=session_id($HTTP_GET_VARS['sid']); Now as long as each of your pages has session_start() at the top, you can use $_SESSION['sid'] whereever. To the mailing list: Am I doing this correctly? --Matthew Sims --http://killermookie.org -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] session id changing all the time on some pc's
On Friday 02 July 2004 02:13 pm, Torsten Roehr wrote: Passing the session id via GET/POST may be ugly but makes you independent of the browser's cookie settings. I would have to agree... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] session id changing all the time on some pc's
Matthew Sims [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Instead of passing the session_id through the URL ($_GET) just assign it to $_SESSION and pass that around. Then it'll stay transparent to the user. Could you describe the last paragraph a bit more in detail? Thanks in advance! Torsten What if you used this? session_start(); $_SESSION['sid']=session_id($HTTP_GET_VARS['sid']); Now as long as each of your pages has session_start() at the top, you can use $_SESSION['sid'] whereever. To the mailing list: Am I doing this correctly? But somehow you have to pass the session id from page to page!?! By the way, the session id is always available as the constant SID. Torsten -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] session id changing all the time on some pc's
Matthew Sims [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Instead of passing the session_id through the URL ($_GET) just assign it to $_SESSION and pass that around. Then it'll stay transparent to the user. Could you describe the last paragraph a bit more in detail? Thanks in advance! Torsten What if you used this? session_start(); $_SESSION['sid']=session_id($HTTP_GET_VARS['sid']); Now as long as each of your pages has session_start() at the top, you can use $_SESSION['sid'] whereever. To the mailing list: Am I doing this correctly? But somehow you have to pass the session id from page to page!?! By the way, the session id is always available as the constant SID. Torsten The $_SESSION['sid'] will follow from page to page. As long as the user stays in the current session, all $_SESSION variables will follow from page to page as long as session_start() is used. --Matthew Sims --http://killermookie.org -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] session id changing all the time on some pc's
Matthew Sims [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Matthew Sims [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Instead of passing the session_id through the URL ($_GET) just assign it to $_SESSION and pass that around. Then it'll stay transparent to the user. Could you describe the last paragraph a bit more in detail? Thanks in advance! Torsten What if you used this? session_start(); $_SESSION['sid']=session_id($HTTP_GET_VARS['sid']); Now as long as each of your pages has session_start() at the top, you can use $_SESSION['sid'] whereever. To the mailing list: Am I doing this correctly? But somehow you have to pass the session id from page to page!?! By the way, the session id is always available as the constant SID. Torsten The $_SESSION['sid'] will follow from page to page. As long as the user stays in the current session, all $_SESSION variables will follow from page to page as long as session_start() is used. OK, but HOW do you manage that the user stays in the current session. Usually this is made sure by passing the session id around. But obviously you are not doing this, are you? Torsten -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] session id changing all the time on some pc's
The $_SESSION['sid'] will follow from page to page. As long as the user
stays in the current session, all $_SESSION variables will follow from
page to page as long as session_start() is used.
OK, but HOW do you manage that the user stays in the current session.
Usually this is made sure by passing the session id around. But
obviously
you are not doing this, are you?
Torsten
As long as the user keeps his browser pointing at your site, then they'll
stay in the currect session. The moment they shut down the web browser,
the session is lost.
When the user first comes to your site, assign the session_id to a
$_SESSION variable. Then as the user jumps from page to page, check the
$_SESSION variable with the session_id on that page.
Try this, on the front page:
session_start();
$_SESSOIN['sid']=session_id();
On another page:
if ($_SESSION['sid']==session_id()) {
continue browsing;
} else {
redirect to front page;
}
or however you want it to be. The above isn't tested. Not sure if
session_id needs to be assigned to a variable.
Is this what you're referring to or am I just misreading what you're asking?
--Matthew Sims
--http://killermookie.org
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] session id changing all the time on some pc's
On Friday 02 July 2004 04:38 pm, Matthew Sims wrote: As long as the user keeps his browser pointing at your site, then they'll stay in the currect session. The moment they shut down the web browser, the session is lost. The logic doesnt compute with me. I guess I'll have to try this myself... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] session id changing all the time on some pc's
Matthew Sims [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
The $_SESSION['sid'] will follow from page to page. As long as the user
stays in the current session, all $_SESSION variables will follow from
page to page as long as session_start() is used.
OK, but HOW do you manage that the user stays in the current session.
Usually this is made sure by passing the session id around. But
obviously
you are not doing this, are you?
Torsten
As long as the user keeps his browser pointing at your site, then they'll
stay in the currect session. The moment they shut down the web browser,
the session is lost.
This does only work *with* using a cookie.
When the user first comes to your site, assign the session_id to a
$_SESSION variable. Then as the user jumps from page to page, check the
$_SESSION variable with the session_id on that page.
Try this, on the front page:
session_start();
$_SESSOIN['sid']=session_id();
On another page:
if ($_SESSION['sid']==session_id()) {
continue browsing;
} else {
redirect to front page;
}
or however you want it to be. The above isn't tested. Not sure if
session_id needs to be assigned to a variable.
Is this what you're referring to or am I just misreading what you're
asking?
No, this is exactly what I wanted to know. But it would contradict
everything I experienced with sessions until now - and it does. I just
tested your code (with session_start() also at the top of page2). It does
not work because there is absolutely no relation between page1 and page2
with your code. In this case a new session is being started on page two.
You have got to pass the session id from one page to another (when not using
a cookie) otherwise it won't work and rightly so.
Maybe your memory played a trick on you ;) Don't mind.
Regards, Torsten
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] session id changing all the time on some pc's
No, this is exactly what I wanted to know. But it would contradict everything I experienced with sessions until now - and it does. I just tested your code (with session_start() also at the top of page2). It does not work because there is absolutely no relation between page1 and page2 with your code. In this case a new session is being started on page two. You have got to pass the session id from one page to another (when not using a cookie) otherwise it won't work and rightly so. Ah, you are so correct. My apologies. Without cookies turned on then the session id is different with each page. Bleh. Okay...so...ignore all that I said. :) So I guess $_GET is the only option...that sucks. Sorry dude. --Matthew Sims --http://killermookie.org -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] session id changing all the time on some pc's
* Thus wrote Torsten Roehr: Zilvinas Saltys [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] The only thing i want to know is all the truth about IE (6?) and cookies :) Heeelp :) Sorry to say that but just DO NOT use cookies. You will always have problems with users having weird cookie settings in their browser. Cookies are fine for intranets where you know the infrastructure you are dealing with. Passing the session id via GET/POST may be ugly but makes you independent of the browser's cookie settings. I would strongly discourage trans_id with sessions that contain sensitive data. Curt -- First, let me assure you that this is not one of those shady pyramid schemes you've been hearing about. No, sir. Our model is the trapezoid! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] session id changing all the time on some pc's
On Fri, 2 Jul 2004 22:45:23 + Curt Zirzow [EMAIL PROTECTED] wrote: * Thus wrote Torsten Roehr: Zilvinas Saltys [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] The only thing i want to know is all the truth about IE (6?) and cookies :) Heeelp :) Sorry to say that but just DO NOT use cookies. You will always have problems with users having weird cookie settings in their browser. Cookies are fine for intranets where you know the infrastructure you are dealing with. Passing the session id via GET/POST may be ugly but makes you independent of the browser's cookie settings. I would strongly discourage trans_id with sessions that contain sensitive data. Yes it does contain sensitive data.. And those people cant work with that data because of IE... Those people have to travel from place to place. They can't use mozilla everywhere or change the IE settings or even to turn the zone alarm off... So what are your suggestions? Using trans sid is the only solution as i see now.. No matter how unsafe it is.. Or it looks or works ugly.. That is the problem :) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
