Re: [PHP] Cookies and Sessions: What's the Best Recipe?
Guys, that's exactly what the SID predefined constant is for -- it's defined
only when a session is active, and it has the value
sessionname=sessionid (e.g. PHPSESSID=1afd764ecb938274) if and only if
the session id was passed in the URL -- otherwise it contains the empty
string. So you can safely do:
header(Location: {$location}?.SID);
The SID constant var is a good idea! I didn't realize this existed. Taking
what Justin originally suggested, I've now modified the myHeader() function
to only append the SID if it exists (else, it returns the $location var as
it was passed). It also checks to see whether there is a ? in the $location
var. If so, it will append the SID using a , otherwise it will append the
SID with a ?.
I haven't tested this yet, but, if anyone has any other suggestions or
recommendations, please post them.
function myHeader($location) {
if (SID) {
if (strstr($location, '?')) {
header(Location: {$location}.SID);
} else {
header(Location: {$location}?.SID);
}
} else {
return $location;
}
return;
}
Monty
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Cookies and Sessions: What's the Best Recipe?
I have a member site that uses sessions. People who have their browser
cookies turned off, however, cannot use our site. I read somewhere that to
avoid this, I'd have to manually append the PHPSESSID var to every URL when
redirecting in a script.
One way around this would be to write a simple wrapper function which does
this for you automatically:
?
// UNTESTED
function redirectWithSession($location)
{
$sid = session_id();
$sname = session_name();
header(Location: {$location}?{$sname}={$sid});
}
?
Then (after testing the above code thoroughly) you just need to do a batch
search and replace on your whole site source for 'header(Location: ' with
'redirectWithSession(', and everything should be cool I think. Please
test all thoroughly :)
Justin, I took your suggestion and tried out the above on some test files. I
made some slight mods, but, it works perfectly. The only thing I don't like
about this solution is that the session ID is appended to the end of the URL
for everyone, even if they have cookies enabled. (I have trans-sid enabled).
Is there any reliable way to avoid this, or is this just a small side-effect
of making the site accessible to all?
Thanks!
Monty
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Cookies and Sessions: What's the Best Recipe?
H,
Theory only here:
If there is a GET value of PHPSESSID (or whatever your sessions are named),
then the user is more than likely taking advantage of trans-sid (sid's in
the URLs), and cookies are not available.
So, we only want to append the sid to URLs in a redirect IF the sid is found
in the URL already. If there is no SID in the URL, then perhaps we can
assume it doesn't need to be this time
?
// UNTESTED
function redirectWithSession($location)
{
$sid = session_id();
$sname = session_name();
if($_GET[$sname])
{
header(Location: {$location}?{$sname}={$sid});
}
else
{
header(Location: {$location});
}
}
?
Again, please test thoroughly, because I haven't thought through the
instances where this might break something really... maybe there aren't
any!!
Justin
on 03/06/03 5:02 PM, Monty ([EMAIL PROTECTED]) wrote:
I have a member site that uses sessions. People who have their browser
cookies turned off, however, cannot use our site. I read somewhere that to
avoid this, I'd have to manually append the PHPSESSID var to every URL when
redirecting in a script.
One way around this would be to write a simple wrapper function which does
this for you automatically:
?
// UNTESTED
function redirectWithSession($location)
{
$sid = session_id();
$sname = session_name();
header(Location: {$location}?{$sname}={$sid});
}
?
Then (after testing the above code thoroughly) you just need to do a batch
search and replace on your whole site source for 'header(Location: ' with
'redirectWithSession(', and everything should be cool I think. Please
test all thoroughly :)
Justin, I took your suggestion and tried out the above on some test files. I
made some slight mods, but, it works perfectly. The only thing I don't like
about this solution is that the session ID is appended to the end of the URL
for everyone, even if they have cookies enabled. (I have trans-sid enabled).
Is there any reliable way to avoid this, or is this just a small side-effect
of making the site accessible to all?
Thanks!
Monty
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Cookies and Sessions: What's the Best Recipe?
-Original Message-
From: Justin French [mailto:[EMAIL PROTECTED]
Sent: 03 June 2003 06:34
To: Monty; [EMAIL PROTECTED]
Subject: Re: [PHP] Cookies and Sessions: What's the Best Recipe?
H,
Theory only here:
If there is a GET value of PHPSESSID (or whatever your
sessions are named),
then the user is more than likely taking advantage of
trans-sid (sid's in
the URLs), and cookies are not available.
So, we only want to append the sid to URLs in a redirect IF
the sid is found
in the URL already. If there is no SID in the URL, then
perhaps we can
assume it doesn't need to be this time
Guys, that's exactly what the SID predefined constant is for -- it's defined
only when a session is active, and it has the value
sessionname=sessionid (e.g. PHPSESSID=1afd764ecb938274) if and only if
the session id was passed in the URL -- otherwise it contains the empty
string. So you can safely do:
header(Location: {$location}?.SID);
and get the desired result.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Cookies and Sessions: What's the Best Recipe?
on 03/06/03 9:43 PM, Ford, Mike [LSS] ([EMAIL PROTECTED])
wrote:
-Original Message-
From: Justin French [mailto:[EMAIL PROTECTED]
Sent: 03 June 2003 06:34
To: Monty; [EMAIL PROTECTED]
Subject: Re: [PHP] Cookies and Sessions: What's the Best Recipe?
H,
Theory only here:
If there is a GET value of PHPSESSID (or whatever your
sessions are named),
then the user is more than likely taking advantage of
trans-sid (sid's in
the URLs), and cookies are not available.
So, we only want to append the sid to URLs in a redirect IF
the sid is found
in the URL already. If there is no SID in the URL, then
perhaps we can
assume it doesn't need to be this time
Guys, that's exactly what the SID predefined constant is for -- it's defined
only when a session is active, and it has the value
sessionname=sessionid (e.g. PHPSESSID=1afd764ecb938274) if and only if
the session id was passed in the URL -- otherwise it contains the empty
string. So you can safely do:
header(Location: {$location}?.SID);
and get the desired result.
Good point... except I had some problems with SID a while back... must do
some re-testing... can't remember much about it now.
Thanks mike.
Justin
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Cookies and Sessions: What's the Best Recipe?
I have a member site that uses sessions. People who have their browser cookies turned off, however, cannot use our site. I read somewhere that to avoid this, I'd have to manually append the PHPSESSID var to every URL when redirecting in a script. Is this really the best or only way to avoid this problem? Or, is it simply unavoidable? Right now, I tell users that the site will only work with browsers that have cookies turned on, but, I'd rather the site was accessible to all. However, I also don't like passing session IDs via the URL because of the security risk. Any suggestions?? Monty -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Cookies and Sessions: What's the Best Recipe?
on 01/06/03 6:01 AM, Monty ([EMAIL PROTECTED]) wrote:
I have a member site that uses sessions. People who have their browser
cookies turned off, however, cannot use our site. I read somewhere that to
avoid this, I'd have to manually append the PHPSESSID var to every URL when
redirecting in a script.
Actually, the session ID has to appear in every URL... if you compile PHP
with enable-trans-sid, then PHP takes care of this for you in *most* cases.
As you say above, you need to append them manually to things like header()
redirects.
One way around this would be to write a simple wrapper function which does
this for you automatically:
?
// UNTESTED
function redirectWithSession($location)
{
$sid = session_id();
$sname = session_name();
header(Location: {$location}?{$sname}={$sid});
}
?
Then (after testing the above code thoroughly) you just need to do a batch
search and replace on your whole site source for 'header(Location: ' with
'redirectWithSession(', and everything should be cool I think. Please
test all thoroughly :)
Or, just go through your code and patch it up :)
Is this really the best or only way to avoid this problem? Or, is it simply
unavoidable? Right now, I tell users that the site will only work with
browsers that have cookies turned on, but, I'd rather the site was
accessible to all. However, I also don't like passing session IDs via the
URL because of the security risk.
There is no difference in the security risk between URL and cookies, if they
are sent in plain text. SSL is a different story.
You have a choice: make sure your site can be used without cookies (and
deal with the small effort during development), or be prepared to turn away
users.
I know which I picked :)
Justin
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
