[PHP] $_SESSION question
I made a test with the Phoenix-Browser and ENABLE COOKIES = OFF in the Privacy configuration of the browser. my index.php: ? session_start(); $_SESSION[test] = test; echo a href='index2.php'index2.php/a\n; ? my index2.php: ? session_start(); echo $_SESSION[test]; ? My php.ini: session.use_trans_sid = 0 on index2.php there's no result - $_SESSION[test] is not set. when I enable session.use_trans_sid = 1 the session_id is added to the url, but php.ini says not to use session.use_trans_sid = 1 for security reasons. How can I process $_SESSION variables if the user disables cookies and session.use_trans_sid = 0 ? -- Jochen Kaechelin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] $_SESSION question
At 02:18 15.11.2002, Jochen Kächelin said: [snip] How can I process $_SESSION variables if the user disables cookies and session.use_trans_sid = 0 ? [snip] Simply put - you can't. You need a way to transmit the session identifier, and AFAIK there's nothing except either cookies or SID. Using SID for security relevant issues presents a problem - users can send links with a SID to friends by mail or else, so this is not really a secure solution. However there are numerous application parts where no security is involved, and sessions are just used to construct a site - it's unnecessary IMHO to avoid SID use here. On our server we have disabled session cookies in general, as a courtesy to our users. However when logged in we require a user to accept a cookie. The value of this cookie is randomly generated (something like md5(rand())), and changes with every click. This value (we call it a login token is also stored in session data to verify the cookie against the session. If no user token, or a wrong token, is transmitted, we assume a hijacked session and automatically logout the user. (there's more to it, but basically you get the idea) -- O Ernest E. Vogelsinger (\)ICQ #13394035 ^ http://www.vogelsinger.at/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] $_SESSION question
Simply put - you can't. You need a way to transmit the session identifier, and AFAIK there's nothing except either cookies or SID. Using SID for security relevant issues presents a problem - users can send links with a SID to friends by mail or else, so this is not really a secure solution. However there are numerous application parts where no security is involved, and sessions are just used to construct a site - it's unnecessary IMHO to avoid SID use here. On our server we have disabled session cookies in general, as a courtesy to our users. However when logged in we require a user to accept a cookie. The value of this cookie is randomly generated (something like md5(rand())), and changes with every click. This value (we call it a login token is also stored in session data to verify the cookie against the session. If no user token, or a wrong token, is transmitted, we assume a hijacked session and automatically logout the user. (there's more to it, but basically you get the idea) This sounds like a pretty good idea to work around that problem :-) Does this system work, if the user decides to split one session accross multiple Browser-Windows, i.e. the uses the Open in new window-Function of most browsers? -Sascha -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] $_SESSION question
Hi Jochen, How can I process $_SESSION variables if the user disables cookies and session.use_trans_sid = 0 ? You could use a combination of outputbuffering and a self-written session-handler. So you could build a trans_sid-alike system, that would do more checks (i.e. compare IP-Addresses) to validate, if a session is really the one it is claiming. (Of course this would be slower as trans_sid's and ain't that easy to do) -Sascha -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] $_SESSION question
At 02:42 15.11.2002, Sascha Cunz said: [snip] This sounds like a pretty good idea to work around that problem :-) Does this system work, if the user decides to split one session accross multiple Browser-Windows, i.e. the uses the Open in new window-Function of most browsers? [snip] Halfway it does (I told you there's more to it...) There are two scenarios: a) user has two logins in two browser windows at the same time: The cookie name is not hard coded but generated as well, just as UTOKEN_1234 or something. The cookie name is also stored in session data. b) user has one login but two different windows: Generally this presents a problem as an application usually has a state that's reflected in session data. What needs to be done is: a) detect that the user has split the application b) split session data, or create a new session. As for (a) - we chose out application windows to be generally non-cacheable (at least those using this mechanism). Thus, opening a new window will rerun the code, transmitting an altered user-token cookie to the browser. The reloaded window will simply continue the application from it's current state, and alter the user-token cookie. As for (b) it depends on the content of the original page. If this is a form it's easy to detect that the form is not the most recent (out forms generally have a serial number to avoid duplicate actions through form reloads). If the form that is detected as being reloaded is not the last form the application has seen we decide that the application has been split up - we simply close the session and require the user to log in anew (in this window only, of course), now using a different session ID. If the cloned window is _not_ a form I have no solution yet - all our apps are form-based. One last word to close the session - this is done by calling session_write_close() and redirecting the browser to the application entry page, now _not_ using SID (session has already closed, no SID available). -- O Ernest E. Vogelsinger (\)ICQ #13394035 ^ http://www.vogelsinger.at/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
