[WSG] PHP GET session ID's prevent validation?

2004-08-09 Thread Joshua Street 




Hi all,

I've come across something of a problem on a website which uses Sessions (and PHP). The server it is hosted on is setup to allow session ID's to be sent as GET variables (i.e. part of the URL string), if the user *apparently* doesn't have cookies enabled.

Now, for whatever reason, the server is deciding that MANY users don't have cookies enabled, even when they do, and is therefore pushing them to the GET method, as opposed to setting a cookie and leaving it alone! This isn't a problem relevant to this list (I have other concerns, regarding security, etc. but that is best discussed elsewhere), however it does do some bad things to links on the page!

The website is http://www.platform7.info/, and it (before moving servers) validated without any problems. What's happening is that PHP is appending platform7=SESSION ID GOES HERE to all links on the webpage, when in GET session (e.g. not cookies) mode. You'll note that  should be amp; in order to validate...

Has anyone else had this happen to them before? Any suggestions are welcome.

Cheers,




Joshua Street








Website: http://www.base10solutions.com/
Phone: (02) 9898-0060 Fax: (02) 8572-6021
Mobile: 0425 808 469





E-mails and any attachments sent from base10solutions are to be regarded as confidential. Please do not distribute or publish any of the contents of this e-mail without the senders consent. If you have received this e-mail in error, please notify the sender by replying to the e-mail, and then delete the message without making copies or using it in any way. 

Although base10solutions takes precautions to ensure that e-mail sent from our accounts are free of viruses, we encourage recipients to undertake their own virus scan on each e-mail before opening, as base10solutions accepts no responsibility for loss or damage caused by the contents of this e-mail.





p.s. This is primarily an interim fix, as in a few months I shall be disabling (at code level) support for GET sessions, mandating the use of cookies.


attachment: logo.gif

Re: [WSG] PHP GET session ID's prevent validation?

2004-08-09 Thread Manuel González Noriega 
El mar, 10-08-2004 a las 02:01, Joshua Street escribió:
 Hi all,
 
snip

  You'll note that  should be amp; in order to validate...
 
 Has anyone else had this happen to them before?  Any suggestions are
 welcome.

Hey Joshua,

try this 

ini_set('arg_separator.input','amp;');

-- 
Manuel trabaja para Simplelógica, construcción web
(+34) 985 22 12 65 http://simplelogica.net 

**
The discussion list for  http://webstandardsgroup.org/

Proud presenters of Web Essentials 04 http://we04.com/
 Web standards, accessibility, inspiration, knowledge
To be held in Sydney, September 30 and October 1, 2004

 See http://webstandardsgroup.org/mail/guidelines.cfm
 for some hints on posting to the list  getting help
**

Re: [WSG] PHP GET session ID's prevent validation?

2004-08-09 Thread Patrick H. Lauke 
If you have access to php.ini, make sure you change arg_separator.input 
and arg_separator.output to

arg_separator.input = 'amp;'
arg_separator.output = 'amp;'
You may be able to do this in an .htaccess file
php_value arg_separator.input 'amp;'
php_value arg_separator.output 'amp;'
As a last resort, you may be able to override it at the beginning of all 
your scripts in PHP itself

ini_set('arg_separator.input','amp;');
ini_set('arg_separator.output','amp;');
Patrick H. Lauke
_
redux (adj.): brought back; returned. used postpositively
[latin : re-, re- + dux, leader; see duke.]
www.splintered.co.uk | www.photographia.co.uk
http://redux.deviantart.com
**
The discussion list for  http://webstandardsgroup.org/
Proud presenters of Web Essentials 04 http://we04.com/
Web standards, accessibility, inspiration, knowledge
To be held in Sydney, September 30 and October 1, 2004
See http://webstandardsgroup.org/mail/guidelines.cfm
for some hints on posting to the list  getting help
**