[PHP-DEV] Suggest: Have PHP Session cookies-enabled check use any cookie
Hi, I don't know if this has been discussed before, but I have a suggestion about how PHP checks whether cookie support is enabled. Here is my understanding of the current setup: On the first PHP page encountered, all links will be turned into GET style URLS with the session id attached because it does not yet know whether cookies are enabled. At the same time, it sends a cookie with the session id back to the client. On the second page view, the session id cookie is sent back to the server and thus the server knows cookies are enabled, and no longer has to modify the links. I've seen a fair number of people complaining about the appearance of the PHPSESSID tacked on the end of all URLs on the first page, and some people doing work-arounds like automatically redirecting back to the home page. I agree with them that it would be nice not to have the URL modification happen, but I don't like the redirect workaround either. So, I have a suggestion: To determine whether cookies are enabled, PHP could simply check to see whether *any* cookie was sent on the page request. If it were set up like this, we could then set a dummy cookie with a long lifetime on their first visit to the site. Then, on all future visits to the site, PHP would discover even on the first page that cookies are enabled. The result would be the PHPSESSID var would only be stuck on the URLs the very first time a user visits the site, and would never appear again (as long as cookies are enabled). If you fear that this is less safe than actually checking for the PHPSESSID variable, it seems that this could at least be an option that could be enabled in php.ini. What do you think? Matt -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Suggest: Have PHP Session cookies-enabled check use any cookie
hi, [..] If it were set up like this, we could then set a dummy cookie with a long lifetime on their first visit to the site. [..] -2 people tend to dislike cookies - many see cookies as a dangerous threat to their privacy and security (that's why IE 6.0 blocks almost all DANGEROUS cookies *cough*). don't force people to use cookies if they don't want to. Daniel Lorch -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Suggest: Have PHP Session cookies-enabled check use any cookie
The good idee is to set a cookie...and if so not to modify anything. What you missed is that you need not get any cookie if you did not write one yourself (but that does not affect your idea). We could simply leave an old session-cookie and reread it - that shouldn't be a security problem. Perhaps we should then take some thoughts about the security of the session cookies. However it is important that we must rewrite the urls for cases where no cookie was received. That makes your idea no solutions for peoples which claim this because for example thier JavaScript code does not work anymore when session cookies rewrite their urls. (My own hp would have the same problem...but i do not change that) marcus At 22:34 10.03.2002, you wrote: Hi, I don't know if this has been discussed before, but I have a suggestion about how PHP checks whether cookie support is enabled. Here is my understanding of the current setup: On the first PHP page encountered, all links will be turned into GET style URLS with the session id attached because it does not yet know whether cookies are enabled. At the same time, it sends a cookie with the session id back to the client. On the second page view, the session id cookie is sent back to the server and thus the server knows cookies are enabled, and no longer has to modify the links. I've seen a fair number of people complaining about the appearance of the PHPSESSID tacked on the end of all URLs on the first page, and some people doing work-arounds like automatically redirecting back to the home page. I agree with them that it would be nice not to have the URL modification happen, but I don't like the redirect workaround either. So, I have a suggestion: To determine whether cookies are enabled, PHP could simply check to see whether *any* cookie was sent on the page request. If it were set up like this, we could then set a dummy cookie with a long lifetime on their first visit to the site. Then, on all future visits to the site, PHP would discover even on the first page that cookies are enabled. The result would be the PHPSESSID var would only be stuck on the URLs the very first time a user visits the site, and would never appear again (as long as cookies are enabled). If you fear that this is less safe than actually checking for the PHPSESSID variable, it seems that this could at least be an option that could be enabled in php.ini. What do you think? Matt -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Suggest: Have PHP Session cookies-enabled check use any cookie
This is an interesting idea -- simply having the old session cookie stay around longer. On the server side, you'd probably want to keep track of the time the session was created and if it's an old session then change the session id (I don't know if that's easy or hard). I think for security it is good for each session to have its own id. Otherwise, if I read your cookies once, I could use your session indefinitely. I think it would be easier if the PHP code was modified to look for any cookie, but if that doesn't happen then I may look into doing something like this instead. Marcus Börger [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... The good idee is to set a cookie...and if so not to modify anything. What you missed is that you need not get any cookie if you did not write one yourself (but that does not affect your idea). We could simply leave an old session-cookie and reread it - that shouldn't be a security problem. Perhaps we should then take some thoughts about the security of the session cookies. However it is important that we must rewrite the urls for cases where no cookie was received. That makes your idea no solutions for peoples which claim this because for example thier JavaScript code does not work anymore when session cookies rewrite their urls. (My own hp would have the same problem...but i do not change that) marcus At 22:34 10.03.2002, you wrote: Hi, I don't know if this has been discussed before, but I have a suggestion about how PHP checks whether cookie support is enabled. Here is my understanding of the current setup: On the first PHP page encountered, all links will be turned into GET style URLS with the session id attached because it does not yet know whether cookies are enabled. At the same time, it sends a cookie with the session id back to the client. On the second page view, the session id cookie is sent back to the server and thus the server knows cookies are enabled, and no longer has to modify the links. I've seen a fair number of people complaining about the appearance of the PHPSESSID tacked on the end of all URLs on the first page, and some people doing work-arounds like automatically redirecting back to the home page. I agree with them that it would be nice not to have the URL modification happen, but I don't like the redirect workaround either. So, I have a suggestion: To determine whether cookies are enabled, PHP could simply check to see whether *any* cookie was sent on the page request. If it were set up like this, we could then set a dummy cookie with a long lifetime on their first visit to the site. Then, on all future visits to the site, PHP would discover even on the first page that cookies are enabled. The result would be the PHPSESSID var would only be stuck on the URLs the very first time a user visits the site, and would never appear again (as long as cookies are enabled). If you fear that this is less safe than actually checking for the PHPSESSID variable, it seems that this could at least be an option that could be enabled in php.ini. What do you think? Matt -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php