Re: [PHP] Cookies and Sessions: What's the Best Recipe?
Guys, that's exactly what the SID predefined constant is for -- it's defined only when a session is active, and it has the value sessionname=sessionid (e.g. PHPSESSID=1afd764ecb938274) if and only if the session id was passed in the URL -- otherwise it contains the empty string. So you can safely do: header(Location: {$location}?.SID); The SID constant var is a good idea! I didn't realize this existed. Taking what Justin originally suggested, I've now modified the myHeader() function to only append the SID if it exists (else, it returns the $location var as it was passed). It also checks to see whether there is a ? in the $location var. If so, it will append the SID using a , otherwise it will append the SID with a ?. I haven't tested this yet, but, if anyone has any other suggestions or recommendations, please post them. function myHeader($location) { if (SID) { if (strstr($location, '?')) { header(Location: {$location}.SID); } else { header(Location: {$location}?.SID); } } else { return $location; } return; } Monty -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Cookies and Sessions: What's the Best Recipe?
I have a member site that uses sessions. People who have their browser cookies turned off, however, cannot use our site. I read somewhere that to avoid this, I'd have to manually append the PHPSESSID var to every URL when redirecting in a script. One way around this would be to write a simple wrapper function which does this for you automatically: ? // UNTESTED function redirectWithSession($location) { $sid = session_id(); $sname = session_name(); header(Location: {$location}?{$sname}={$sid}); } ? Then (after testing the above code thoroughly) you just need to do a batch search and replace on your whole site source for 'header(Location: ' with 'redirectWithSession(', and everything should be cool I think. Please test all thoroughly :) Justin, I took your suggestion and tried out the above on some test files. I made some slight mods, but, it works perfectly. The only thing I don't like about this solution is that the session ID is appended to the end of the URL for everyone, even if they have cookies enabled. (I have trans-sid enabled). Is there any reliable way to avoid this, or is this just a small side-effect of making the site accessible to all? Thanks! Monty -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Cookies and Sessions: What's the Best Recipe?
H, Theory only here: If there is a GET value of PHPSESSID (or whatever your sessions are named), then the user is more than likely taking advantage of trans-sid (sid's in the URLs), and cookies are not available. So, we only want to append the sid to URLs in a redirect IF the sid is found in the URL already. If there is no SID in the URL, then perhaps we can assume it doesn't need to be this time ? // UNTESTED function redirectWithSession($location) { $sid = session_id(); $sname = session_name(); if($_GET[$sname]) { header(Location: {$location}?{$sname}={$sid}); } else { header(Location: {$location}); } } ? Again, please test thoroughly, because I haven't thought through the instances where this might break something really... maybe there aren't any!! Justin on 03/06/03 5:02 PM, Monty ([EMAIL PROTECTED]) wrote: I have a member site that uses sessions. People who have their browser cookies turned off, however, cannot use our site. I read somewhere that to avoid this, I'd have to manually append the PHPSESSID var to every URL when redirecting in a script. One way around this would be to write a simple wrapper function which does this for you automatically: ? // UNTESTED function redirectWithSession($location) { $sid = session_id(); $sname = session_name(); header(Location: {$location}?{$sname}={$sid}); } ? Then (after testing the above code thoroughly) you just need to do a batch search and replace on your whole site source for 'header(Location: ' with 'redirectWithSession(', and everything should be cool I think. Please test all thoroughly :) Justin, I took your suggestion and tried out the above on some test files. I made some slight mods, but, it works perfectly. The only thing I don't like about this solution is that the session ID is appended to the end of the URL for everyone, even if they have cookies enabled. (I have trans-sid enabled). Is there any reliable way to avoid this, or is this just a small side-effect of making the site accessible to all? Thanks! Monty -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Cookies and Sessions: What's the Best Recipe?
-Original Message- From: Justin French [mailto:[EMAIL PROTECTED] Sent: 03 June 2003 06:34 To: Monty; [EMAIL PROTECTED] Subject: Re: [PHP] Cookies and Sessions: What's the Best Recipe? H, Theory only here: If there is a GET value of PHPSESSID (or whatever your sessions are named), then the user is more than likely taking advantage of trans-sid (sid's in the URLs), and cookies are not available. So, we only want to append the sid to URLs in a redirect IF the sid is found in the URL already. If there is no SID in the URL, then perhaps we can assume it doesn't need to be this time Guys, that's exactly what the SID predefined constant is for -- it's defined only when a session is active, and it has the value sessionname=sessionid (e.g. PHPSESSID=1afd764ecb938274) if and only if the session id was passed in the URL -- otherwise it contains the empty string. So you can safely do: header(Location: {$location}?.SID); and get the desired result. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Cookies and Sessions: What's the Best Recipe?
on 03/06/03 9:43 PM, Ford, Mike [LSS] ([EMAIL PROTECTED]) wrote: -Original Message- From: Justin French [mailto:[EMAIL PROTECTED] Sent: 03 June 2003 06:34 To: Monty; [EMAIL PROTECTED] Subject: Re: [PHP] Cookies and Sessions: What's the Best Recipe? H, Theory only here: If there is a GET value of PHPSESSID (or whatever your sessions are named), then the user is more than likely taking advantage of trans-sid (sid's in the URLs), and cookies are not available. So, we only want to append the sid to URLs in a redirect IF the sid is found in the URL already. If there is no SID in the URL, then perhaps we can assume it doesn't need to be this time Guys, that's exactly what the SID predefined constant is for -- it's defined only when a session is active, and it has the value sessionname=sessionid (e.g. PHPSESSID=1afd764ecb938274) if and only if the session id was passed in the URL -- otherwise it contains the empty string. So you can safely do: header(Location: {$location}?.SID); and get the desired result. Good point... except I had some problems with SID a while back... must do some re-testing... can't remember much about it now. Thanks mike. Justin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Cookies and Sessions: What's the Best Recipe?
I have a member site that uses sessions. People who have their browser cookies turned off, however, cannot use our site. I read somewhere that to avoid this, I'd have to manually append the PHPSESSID var to every URL when redirecting in a script. Is this really the best or only way to avoid this problem? Or, is it simply unavoidable? Right now, I tell users that the site will only work with browsers that have cookies turned on, but, I'd rather the site was accessible to all. However, I also don't like passing session IDs via the URL because of the security risk. Any suggestions?? Monty -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Cookies and Sessions: What's the Best Recipe?
on 01/06/03 6:01 AM, Monty ([EMAIL PROTECTED]) wrote: I have a member site that uses sessions. People who have their browser cookies turned off, however, cannot use our site. I read somewhere that to avoid this, I'd have to manually append the PHPSESSID var to every URL when redirecting in a script. Actually, the session ID has to appear in every URL... if you compile PHP with enable-trans-sid, then PHP takes care of this for you in *most* cases. As you say above, you need to append them manually to things like header() redirects. One way around this would be to write a simple wrapper function which does this for you automatically: ? // UNTESTED function redirectWithSession($location) { $sid = session_id(); $sname = session_name(); header(Location: {$location}?{$sname}={$sid}); } ? Then (after testing the above code thoroughly) you just need to do a batch search and replace on your whole site source for 'header(Location: ' with 'redirectWithSession(', and everything should be cool I think. Please test all thoroughly :) Or, just go through your code and patch it up :) Is this really the best or only way to avoid this problem? Or, is it simply unavoidable? Right now, I tell users that the site will only work with browsers that have cookies turned on, but, I'd rather the site was accessible to all. However, I also don't like passing session IDs via the URL because of the security risk. There is no difference in the security risk between URL and cookies, if they are sent in plain text. SSL is a different story. You have a choice: make sure your site can be used without cookies (and deal with the small effort during development), or be prepared to turn away users. I know which I picked :) Justin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php