Re: [PHP] sessions without cookies *or* URLs
John, et al -- ...and then John W. Holmes said... % % You can pass the session ID in a form, too. Just use POST, and make it a % hidden element passed to the next page. Yeah, I figured that. % % input type=hidden name=PHPSESSID value=?=$PHPSESSID? % % It's no different than passing it in the URL. I hope you're not thinking Except the URL is cleaner :-) % that it's more secure by doing it this way. Either way the data is % coming from the user and it can't be trusted and it can be modified. Agreed. % % I don't know what this phobia is about passing something in the URL... First, it's just plain cluttered :-) Second, though, it would be nice to not put the user's password right in the URL to then hang out in his browser goto cache, so we have to change *sometthing*, and if we can clean up the URL while we're at it that would be nice. % % ---John Holmes... Thanks HAND :-D -- David T-G * It's easier to fight for one's principles (play) [EMAIL PROTECTED] * than to live up to them. -- fortune cookie (work) [EMAIL PROTECTED] http://www.justpickone.org/davidtg/Shpx gur Pbzzhavpngvbaf Qrprapl Npg! msg81331/pgp0.pgp Description: PGP signature
Re: [PHP] sessions without cookies *or* URLs
Justin, et al -- ...and then Justin French said... % % on 07/10/02 11:32 AM, David T-G ([EMAIL PROTECTED]) wrote: % % It's a start; it confirms some of what I think I understand about % sessions. Now if only I can get the session ID out of the URL without % using any cookies... Any ideas, anyone? % % % I Thought I made it clear, but I'll try again :) Thanks :-) % % You have three options for maintaining state: % % - Cookies % - URL % - POSTed forms OK. I was afraid of that... % % The most common method is plain cookies. But if you want guaranteed state, Sure, but I know that cookies won't work, so that rules them out. % then URL is the answer. My main problem with the URL method is that it % requires the writer(s) to be careful when typing links... ensuring that they Exactly. It's cluttered and you have to be sure to get it right if you're typing it in. % have the session ID in them. Impossible for a CMS. The answer is % enabel_trans_sid. Well, sorta :-) % % More and more hosts are compiling with enable_trans_sid... what this does % is: attempt to pass the SID around in a cookie. If this fails, it will Right. % re-write any relative URLs in your pages to include the session ID... it's So I can code without having to put the ID on the URLs myself? So the transparent-ness is for the programmer? Well, I do like that... % the best of both worlds... transparent cookies if possible, otherwise the % SID is passed around in a URL. Right. % % % So, this rules out a complaint about complicated URLs, because you don't % have to type them. I may not have to type it as a programmer, but the user might have to type it as a surfer. % % % I urge you to look around all the big sites... if they need to maintain % state (a session) they do so with URLs... amazon.com, whatever -- they all % do it. Yeah, I know. % % Why do you not wish to use URLs? Because they're cluttered and it puts the session ID also in the user's goto cache. % % % Justin Thanks HAND :-D -- David T-G * It's easier to fight for one's principles (play) [EMAIL PROTECTED] * than to live up to them. -- fortune cookie (work) [EMAIL PROTECTED] http://www.justpickone.org/davidtg/Shpx gur Pbzzhavpngvbaf Qrprapl Npg! msg81334/pgp0.pgp Description: PGP signature
Re: [PHP] sessions without cookies *or* URLs
on 07/10/02 7:18 PM, David T-G ([EMAIL PROTECTED]) wrote: % re-write any relative URLs in your pages to include the session ID... it's So I can code without having to put the ID on the URLs myself? So the transparent-ness is for the programmer? Well, I do like that... Yes. % So, this rules out a complaint about complicated URLs, because you don't % have to type them. I may not have to type it as a programmer, but the user might have to type it as a surfer. Nope. Why would they type it? The session is managed by PHP's session functions... if 'page.php' has a session_start() call, it will assign a PHPSESSID. Yes, they may acidently bookmark or favourite a session ID, and you'd have to read up / test on the implications of this, but given there are only three options, you have to work through them. If they work for amazon, they can work for you... If you rule out cookies and POST, then guess what you're left with :) Justin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] sessions without cookies *or* URLs
% The most common method is plain cookies. But if you want guaranteed state, Sure, but I know that cookies won't work, so that rules them out. Won't work, or you don't want to use them? % So, this rules out a complaint about complicated URLs, because you don't % have to type them. I may not have to type it as a programmer, but the user might have to type it as a surfer. Why would the user have to type in a URL with a session id? Your session ids are only good while the user is active and they will expire after a certain amount of time. % Why do you not wish to use URLs? Because they're cluttered and it puts the session ID also in the user's goto cache. Again, why does that matter because that ID is only good while the user is active. When they log out, it's worthless, or after a certain amount of inactive time, it's worthless... ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] sessions without cookies *or* URLs
Hi, all -- I've seen a recent flurry of discussion on sessions, and that's good; lovely how that has shown up just as I need to dig into sessions. I think I've come to understand, though, that you can't manage sessions without either URL extensions or cookies, and that's bad (for me, at least). Is that a correct understanding? It seems that using forms to pass the session token would work, but that means having all buttons instead of links, which has its own disadvantages. Is there any other way to get data to the server? We currently use the URL to pass variables but we don't want to hang the page password out there :-) and so we have to maove away from that somehow, and it would be nice if we could get away from URL mangling entirely. Cookies aren't an option, though. TIA HAND :-D -- David T-G * It's easier to fight for one's principles (play) [EMAIL PROTECTED] * than to live up to them. -- fortune cookie (work) [EMAIL PROTECTED] http://www.justpickone.org/davidtg/Shpx gur Pbzzhavpngvbaf Qrprapl Npg! msg81262/pgp0.pgp Description: PGP signature
Re: [PHP] sessions without cookies *or* URLs
I think you're under a little misconception about how sessions are used. Maintaining a session is simply just having a unique identifier for each user, so that the server can recognise the user from page to page, maintaining state. Typically this is done by passing a session id around in he URL or cookies or POSTing forms. A session ID is typically a long unique number -- that's it. What you then do associate or register data TO that Session ID... this data is stored on the SERVER, and NOT passed around in the URL. So you pass around PHPSESSID=198235021612423 in the url or a cookie, and assign data to that session... all of which is stored server side. The session with the id 198235021612423 may have a username, password, shoe size, favourite colour, etc etc all attached to it, done with either: $_SESSION['shoesize'] = 14; // new register globals OFF method or $shoesize = 14; session_register(shoesize); // old method Therefor, I can see no need for anything other than the session ID to be passed around in the URL. Hope this clears it up! Justin French on 06/10/02 9:26 PM, David T-G ([EMAIL PROTECTED]) wrote: Hi, all -- I've seen a recent flurry of discussion on sessions, and that's good; lovely how that has shown up just as I need to dig into sessions. I think I've come to understand, though, that you can't manage sessions without either URL extensions or cookies, and that's bad (for me, at least). Is that a correct understanding? It seems that using forms to pass the session token would work, but that means having all buttons instead of links, which has its own disadvantages. Is there any other way to get data to the server? We currently use the URL to pass variables but we don't want to hang the page password out there :-) and so we have to maove away from that somehow, and it would be nice if we could get away from URL mangling entirely. Cookies aren't an option, though. TIA HAND :-D -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] sessions without cookies *or* URLs
Justin, et al -- ...and then Justin French said... % % I think you're under a little misconception about how sessions are used. Perhaps. I'm new to them :-) % Maintaining a session is simply just having a unique identifier for each % user, so that the server can recognise the user from page to page, % maintaining state. Right. And since it can recognize the user, it can store all sorts of things for him, like the fact that he's been authenticated and what function he did last and so on. Right? % % Typically this is done by passing a session id around in he URL or cookies % or POSTing forms. A session ID is typically a long unique number -- that's % it. Right. But it's the in the URL or cookies that's a problem for me. % % % What you then do associate or register data TO that Session ID... this data % is stored on the SERVER, and NOT passed around in the URL. I understand enough that the data itself isn't in the URL, and that's good (because some of these page comments get long!). % % % So you pass around PHPSESSID=198235021612423 in the url or a cookie, and % assign data to that session... all of which is stored server side. Are those the only ways that I can pass it around? Is there anything else? [Note that I've come to the conclusion that they are and there isn't except perhaps a POST form, but I'd love to be pleasantly surprised.] % % The session with the id 198235021612423 may have a username, password, shoe % size, favourite colour, etc etc all attached to it, done with either: Good deal; that's what I like. % % $_SESSION['shoesize'] = 14; // new register globals OFF method % % or % % $shoesize = 14; % session_register(shoesize); // old method Right. % % % Therefor, I can see no need for anything other than the session ID to be % passed around in the URL. % % Hope this clears it up! It's a start; it confirms some of what I think I understand about sessions. Now if only I can get the session ID out of the URL without using any cookies... Any ideas, anyone? % % % Justin French TIA HAND :-D -- David T-G * It's easier to fight for one's principles (play) [EMAIL PROTECTED] * than to live up to them. -- fortune cookie (work) [EMAIL PROTECTED] http://www.justpickone.org/davidtg/Shpx gur Pbzzhavpngvbaf Qrprapl Npg! msg81311/pgp0.pgp Description: PGP signature
RE: [PHP] sessions without cookies *or* URLs
You can pass the session ID in a form, too. Just use POST, and make it a hidden element passed to the next page. input type=hidden name=PHPSESSID value=?=$PHPSESSID? It's no different than passing it in the URL. I hope you're not thinking that it's more secure by doing it this way. Either way the data is coming from the user and it can't be trusted and it can be modified. I don't know what this phobia is about passing something in the URL... ---John Holmes... -Original Message- From: David T-G [mailto:[EMAIL PROTECTED]] Sent: Sunday, October 06, 2002 9:33 PM To: PHP General list Cc: Justin French Subject: Re: [PHP] sessions without cookies *or* URLs Justin, et al -- ...and then Justin French said... % % I think you're under a little misconception about how sessions are used. Perhaps. I'm new to them :-) % Maintaining a session is simply just having a unique identifier for each % user, so that the server can recognise the user from page to page, % maintaining state. Right. And since it can recognize the user, it can store all sorts of things for him, like the fact that he's been authenticated and what function he did last and so on. Right? % % Typically this is done by passing a session id around in he URL or cookies % or POSTing forms. A session ID is typically a long unique number -- that's % it. Right. But it's the in the URL or cookies that's a problem for me. % % % What you then do associate or register data TO that Session ID... this data % is stored on the SERVER, and NOT passed around in the URL. I understand enough that the data itself isn't in the URL, and that's good (because some of these page comments get long!). % % % So you pass around PHPSESSID=198235021612423 in the url or a cookie, and % assign data to that session... all of which is stored server side. Are those the only ways that I can pass it around? Is there anything else? [Note that I've come to the conclusion that they are and there isn't except perhaps a POST form, but I'd love to be pleasantly surprised.] % % The session with the id 198235021612423 may have a username, password, shoe % size, favourite colour, etc etc all attached to it, done with either: Good deal; that's what I like. % % $_SESSION['shoesize'] = 14; // new register globals OFF method % % or % % $shoesize = 14; % session_register(shoesize); // old method Right. % % % Therefor, I can see no need for anything other than the session ID to be % passed around in the URL. % % Hope this clears it up! It's a start; it confirms some of what I think I understand about sessions. Now if only I can get the session ID out of the URL without using any cookies... Any ideas, anyone? % % % Justin French TIA HAND :-D -- David T-G * It's easier to fight for one's principles (play) [EMAIL PROTECTED] * than to live up to them. -- fortune cookie (work) [EMAIL PROTECTED] http://www.justpickone.org/davidtg/Shpx gur Pbzzhavpngvbaf Qrprapl Npg! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] sessions without cookies *or* URLs
on 07/10/02 11:32 AM, David T-G ([EMAIL PROTECTED]) wrote: It's a start; it confirms some of what I think I understand about sessions. Now if only I can get the session ID out of the URL without using any cookies... Any ideas, anyone? I Thought I made it clear, but I'll try again :) You have three options for maintaining state: - Cookies - URL - POSTed forms The most common method is plain cookies. But if you want guaranteed state, then URL is the answer. My main problem with the URL method is that it requires the writer(s) to be careful when typing links... ensuring that they have the session ID in them. Impossible for a CMS. The answer is enabel_trans_sid. More and more hosts are compiling with enable_trans_sid... what this does is: attempt to pass the SID around in a cookie. If this fails, it will re-write any relative URLs in your pages to include the session ID... it's the best of both worlds... transparent cookies if possible, otherwise the SID is passed around in a URL. So, this rules out a complaint about complicated URLs, because you don't have to type them. I urge you to look around all the big sites... if they need to maintain state (a session) they do so with URLs... amazon.com, whatever -- they all do it. Why do you not wish to use URLs? Justin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Sessions without cookies : forms
Hi, thanks for all the replies on my two previous postings relating to sessions and cookies. I have set my mind on using sessions but without cookies, so that entails passing the SID via relative URL's. My problem comes in here, when I create a simple login page with a form that send username and password to the next page, I start_session(); and then in the form action, I append the url with ?=SID? , but that causes two parse errors. Warning: Cannot send session cookie - headers already sent by (output started at /home/www/index.php:3) in /home/www/index.php on line 4 Warning: Cannot send session cache limiter - headers already sent (output started at /home/www/index.php:3) in /home/www/index.php on line 4 The code is like so: html head ?php session_start(); ? /head body form name=form1 method=post action=admin_select_project.php??=SID? table border=0 cellspacing=0 cellpadding=0 tr bgcolor=#CFCFCF td colspan=2Admin Login /td /tr tr tdUsername: /td tdinput type=text name=username /td /tr tr tdPassword: /td tdinput type=text name=password /td /tr tr td input type=submit name=Submit4 value=Submit /td /tr /table /form /body /html What am I missing... Thanks -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions without cookies : forms
You need to start the session before any html. So: ?php session_start(); ? html Cheers! Rick Too much caution is bad for you. By avoiding things you fear, you may let yourself in for unhappy consequences. It is usually wiser to stand up to a scary-seeming experience and walk right into it, risking the bruises as hard knocks. You are likely to find it is not as tough as you had thought. Or you may find it plenty tough, but also discover you have what it takes to handle it. - Norman Vincent Peale From: PHPCoder [EMAIL PROTECTED] Date: Mon, 22 Jul 2002 08:36:44 +0200 To: php-general [EMAIL PROTECTED] Subject: [PHP] Sessions without cookies : forms Hi, thanks for all the replies on my two previous postings relating to sessions and cookies. I have set my mind on using sessions but without cookies, so that entails passing the SID via relative URL's. My problem comes in here, when I create a simple login page with a form that send username and password to the next page, I start_session(); and then in the form action, I append the url with ?=SID? , but that causes two parse errors. Warning: Cannot send session cookie - headers already sent by (output started at /home/www/index.php:3) in /home/www/index.php on line 4 Warning: Cannot send session cache limiter - headers already sent (output started at /home/www/index.php:3) in /home/www/index.php on line 4 The code is like so: html head ?php session_start(); ? /head body form name=form1 method=post action=admin_select_project.php??=SID? table border=0 cellspacing=0 cellpadding=0 tr bgcolor=#CFCFCF td colspan=2Admin Login /td /tr tr tdUsername: /td tdinput type=text name=username /td /tr tr tdPassword: /td tdinput type=text name=password /td /tr tr td input type=submit name=Submit4 value=Submit /td /tr /table /form /body /html What am I missing... Thanks -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions Without Cookies or SID Passing...
maintain state accross requests. This is done in 3 different ways. 1. Cookies 2. URL Mangling 3. HTTP Authentication #4 Passing a SID/Session info in hidden fields, but it means you must push every page move through a submit (which can be done with Javascript, image buttons, etc), depending on what you are trying to do it might be alright... -GED -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Sessions Without Cookies or SID Passing...
We have a shopping cart product we're developing in PHP, and I've recently come across I dilemma that I need to find a reliable solution to. Many of the people who will be shopping on our sites have cookies disabled, which presents a problem when using sessions. Now, I am aware of the fact that we could append the SID constant to every URL, but this will not work for us. None of our sites are dynamic, and updating them is out of the question (We have over 100 sites). As well, someday we intend to sell this software, and we don't want to require that people make their sites fully dynamic to accommodate it. So, is there any reliable way to emulate sessions without requiring a cookie, or a variable passed in every URL? Matthew Walker Senior Software Engineer ePliant Marketing --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions Without Cookies or SID Passing...
Use standard HTTP authentication over SSL - that's the only other way. On Tue, 14 May 2002, Matthew Walker wrote: We have a shopping cart product we're developing in PHP, and I've recently come across I dilemma that I need to find a reliable solution to. Many of the people who will be shopping on our sites have cookies disabled, which presents a problem when using sessions. Now, I am aware of the fact that we could append the SID constant to every URL, but this will not work for us. None of our sites are dynamic, and updating them is out of the question (We have over 100 sites). As well, someday we intend to sell this software, and we don't want to require that people make their sites fully dynamic to accommodate it. So, is there any reliable way to emulate sessions without requiring a cookie, or a variable passed in every URL? Matthew Walker Senior Software Engineer ePliant Marketing --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions Without Cookies or SID Passing...
On Tue, 14 May 2002, Matthew Walker wrote: Many of the people who will be shopping on our sites have cookies disabled, which presents a problem when using sessions. Now, I am aware of the fact that we could append the SID constant to every URL, but this will not work for us. None of our sites are dynamic, and updating them is out of the question (We have over 100 sites). As well, someday we intend to sell this software, and we don't want to require that people make their sites fully dynamic to accommodate it. I don't entirely understand. If your site is not dynamic, then what do you need sessions for? miguel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions Without Cookies or SID Passing...
The sites are not dynamic, but the shopping cart /is/. The problem is, if people don't have cookies on, when they return to the site to order more products, they loose the SID that has been appended to the links inside the cart, and thus loose the contents of their shopping cart. Matthew Walker Senior Software Engineer ePliant Marketing -Original Message- From: Miguel Cruz [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 14, 2002 5:48 PM To: [EMAIL PROTECTED] Subject: Re: [PHP] Sessions Without Cookies or SID Passing... On Tue, 14 May 2002, Matthew Walker wrote: Many of the people who will be shopping on our sites have cookies disabled, which presents a problem when using sessions. Now, I am aware of the fact that we could append the SID constant to every URL, but this will not work for us. None of our sites are dynamic, and updating them is out of the question (We have over 100 sites). As well, someday we intend to sell this software, and we don't want to require that people make their sites fully dynamic to accommodate it. I don't entirely understand. If your site is not dynamic, then what do you need sessions for? miguel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions Without Cookies or SID Passing...
You're not understanding the problem. This is not an authentication situation. We are using sessions to track information about what a customer's OrderID is, and other related information. Matthew Walker Senior Software Engineer ePliant Marketing -Original Message- From: Rasmus Lerdorf [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 14, 2002 5:42 PM To: Matthew Walker Cc: [EMAIL PROTECTED] Subject: Re: [PHP] Sessions Without Cookies or SID Passing... Use standard HTTP authentication over SSL - that's the only other way. On Tue, 14 May 2002, Matthew Walker wrote: We have a shopping cart product we're developing in PHP, and I've recently come across I dilemma that I need to find a reliable solution to. Many of the people who will be shopping on our sites have cookies disabled, which presents a problem when using sessions. Now, I am aware of the fact that we could append the SID constant to every URL, but this will not work for us. None of our sites are dynamic, and updating them is out of the question (We have over 100 sites). As well, someday we intend to sell this software, and we don't want to require that people make their sites fully dynamic to accommodate it. So, is there any reliable way to emulate sessions without requiring a cookie, or a variable passed in every URL? Matthew Walker Senior Software Engineer ePliant Marketing --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions Without Cookies or SID Passing...
I am understanding the problem perfectly. HTTP is stateless. You want to maintain state accross requests. This is done in 3 different ways. 1. Cookies 2. URL Mangling 3. HTTP Authentication You said you did not want to do 1 or 2. That only leaves you with HTTP Authentication. HTTP Authentication is really just like a cookie that can't be disabled when it comes down to it. -Rasmus On Tue, 14 May 2002, Matthew Walker wrote: You're not understanding the problem. This is not an authentication situation. We are using sessions to track information about what a customer's OrderID is, and other related information. Matthew Walker Senior Software Engineer ePliant Marketing -Original Message- From: Rasmus Lerdorf [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 14, 2002 5:42 PM To: Matthew Walker Cc: [EMAIL PROTECTED] Subject: Re: [PHP] Sessions Without Cookies or SID Passing... Use standard HTTP authentication over SSL - that's the only other way. On Tue, 14 May 2002, Matthew Walker wrote: We have a shopping cart product we're developing in PHP, and I've recently come across I dilemma that I need to find a reliable solution to. Many of the people who will be shopping on our sites have cookies disabled, which presents a problem when using sessions. Now, I am aware of the fact that we could append the SID constant to every URL, but this will not work for us. None of our sites are dynamic, and updating them is out of the question (We have over 100 sites). As well, someday we intend to sell this software, and we don't want to require that people make their sites fully dynamic to accommodate it. So, is there any reliable way to emulate sessions without requiring a cookie, or a variable passed in every URL? Matthew Walker Senior Software Engineer ePliant Marketing --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions Without Cookies or SID Passing...
On Tue, 14 May 2002, Matthew Walker wrote: The sites are not dynamic, but the shopping cart /is/. The problem is, if people don't have cookies on, when they return to the site to order more products, they loose the SID that has been appended to the links inside the cart, and thus loose the contents of their shopping cart. I think you are running into facts of life here. You can only keep track of people using a limited set of mechanisms (which Rasmus has listed). Perhaps with cunning design you could use frames and JavaScript to handle this but it's outside the scope of PHP. miguel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions Without Cookies or SID Passing...
You're missing one method - using the user's IP address It's not a guaranteed fool-proof method, but if you don't want to use cookies or the URL, then this sorta works. -Original Message- From: Rasmus Lerdorf [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 15, 2002 10:04 AM To: Matthew Walker Cc: [EMAIL PROTECTED] Subject: RE: [PHP] Sessions Without Cookies or SID Passing... I am understanding the problem perfectly. HTTP is stateless. You want to maintain state accross requests. This is done in 3 different ways. 1. Cookies 2. URL Mangling 3. HTTP Authentication You said you did not want to do 1 or 2. That only leaves you with HTTP Authentication. HTTP Authentication is really just like a cookie that can't be disabled when it comes down to it. -Rasmus On Tue, 14 May 2002, Matthew Walker wrote: You're not understanding the problem. This is not an authentication situation. We are using sessions to track information about what a customer's OrderID is, and other related information. Matthew Walker Senior Software Engineer ePliant Marketing -Original Message- From: Rasmus Lerdorf [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 14, 2002 5:42 PM To: Matthew Walker Cc: [EMAIL PROTECTED] Subject: Re: [PHP] Sessions Without Cookies or SID Passing... Use standard HTTP authentication over SSL - that's the only other way. On Tue, 14 May 2002, Matthew Walker wrote: We have a shopping cart product we're developing in PHP, and I've recently come across I dilemma that I need to find a reliable solution to. Many of the people who will be shopping on our sites have cookies disabled, which presents a problem when using sessions. Now, I am aware of the fact that we could append the SID constant to every URL, but this will not work for us. None of our sites are dynamic, and updating them is out of the question (We have over 100 sites). As well, someday we intend to sell this software, and we don't want to require that people make their sites fully dynamic to accommodate it. So, is there any reliable way to emulate sessions without requiring a cookie, or a variable passed in every URL? Matthew Walker Senior Software Engineer ePliant Marketing --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions Without Cookies or SID Passing...
Could you explain how this could be accomplished, because I'm not understanding how to do it. As I understand HTTP Authentication (correct me if I'm wrong), the user's computer still has to send a 'username/password' pair to perform the authentication. I can't see how this could be used to maintain session data. But maybe my mind is just trapped in a rut. Please enlighten me. Matthew Walker Senior Software Engineer ePliant Marketing -Original Message- From: Rasmus Lerdorf [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 14, 2002 6:04 PM To: Matthew Walker Cc: [EMAIL PROTECTED] Subject: RE: [PHP] Sessions Without Cookies or SID Passing... I am understanding the problem perfectly. HTTP is stateless. You want to maintain state accross requests. This is done in 3 different ways. 1. Cookies 2. URL Mangling 3. HTTP Authentication You said you did not want to do 1 or 2. That only leaves you with HTTP Authentication. HTTP Authentication is really just like a cookie that can't be disabled when it comes down to it. -Rasmus On Tue, 14 May 2002, Matthew Walker wrote: You're not understanding the problem. This is not an authentication situation. We are using sessions to track information about what a customer's OrderID is, and other related information. Matthew Walker Senior Software Engineer ePliant Marketing -Original Message- From: Rasmus Lerdorf [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 14, 2002 5:42 PM To: Matthew Walker Cc: [EMAIL PROTECTED] Subject: Re: [PHP] Sessions Without Cookies or SID Passing... Use standard HTTP authentication over SSL - that's the only other way. On Tue, 14 May 2002, Matthew Walker wrote: We have a shopping cart product we're developing in PHP, and I've recently come across I dilemma that I need to find a reliable solution to. Many of the people who will be shopping on our sites have cookies disabled, which presents a problem when using sessions. Now, I am aware of the fact that we could append the SID constant to every URL, but this will not work for us. None of our sites are dynamic, and updating them is out of the question (We have over 100 sites). As well, someday we intend to sell this software, and we don't want to require that people make their sites fully dynamic to accommodate it. So, is there any reliable way to emulate sessions without requiring a cookie, or a variable passed in every URL? Matthew Walker Senior Software Engineer ePliant Marketing --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions Without Cookies or SID Passing...
No, it doesn't work at all. All sorts of people are behind proxies. Every AOL user, for example. All these people end up showing up as the same, or at least one of a pool of a few dozen ips. If you use this methods millions of users will end up sharing the same shopping cart. That's probably not a good idea. -Rasmus On Wed, 15 May 2002, Martin Towell wrote: You're missing one method - using the user's IP address It's not a guaranteed fool-proof method, but if you don't want to use cookies or the URL, then this sorta works. -Original Message- From: Rasmus Lerdorf [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 15, 2002 10:04 AM To: Matthew Walker Cc: [EMAIL PROTECTED] Subject: RE: [PHP] Sessions Without Cookies or SID Passing... I am understanding the problem perfectly. HTTP is stateless. You want to maintain state accross requests. This is done in 3 different ways. 1. Cookies 2. URL Mangling 3. HTTP Authentication You said you did not want to do 1 or 2. That only leaves you with HTTP Authentication. HTTP Authentication is really just like a cookie that can't be disabled when it comes down to it. -Rasmus On Tue, 14 May 2002, Matthew Walker wrote: You're not understanding the problem. This is not an authentication situation. We are using sessions to track information about what a customer's OrderID is, and other related information. Matthew Walker Senior Software Engineer ePliant Marketing -Original Message- From: Rasmus Lerdorf [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 14, 2002 5:42 PM To: Matthew Walker Cc: [EMAIL PROTECTED] Subject: Re: [PHP] Sessions Without Cookies or SID Passing... Use standard HTTP authentication over SSL - that's the only other way. On Tue, 14 May 2002, Matthew Walker wrote: We have a shopping cart product we're developing in PHP, and I've recently come across I dilemma that I need to find a reliable solution to. Many of the people who will be shopping on our sites have cookies disabled, which presents a problem when using sessions. Now, I am aware of the fact that we could append the SID constant to every URL, but this will not work for us. None of our sites are dynamic, and updating them is out of the question (We have over 100 sites). As well, someday we intend to sell this software, and we don't want to require that people make their sites fully dynamic to accommodate it. So, is there any reliable way to emulate sessions without requiring a cookie, or a variable passed in every URL? Matthew Walker Senior Software Engineer ePliant Marketing --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions Without Cookies or SID Passing...
Could you explain how this could be accomplished, because I'm not understanding how to do it. As I understand HTTP Authentication (correct me if I'm wrong), the user's computer still has to send a 'username/password' pair to perform the authentication. I can't see how this could be used to maintain session data. But maybe my mind is just trapped in a rut. Please enlighten me. The problem here is not where to store the session data. That's obvious. You store the session data on your server. The real problem is linking the session data (ie. the contents of a shopping cart) to a specific user so when that same user is surfing through your site, on every request you know which cart is his. And if he goes away and comes back later, you again can go find his cart and you know what is in it. Ergo, therefore, if you are able to uniquely identify the user you have solved your session problem. HTTP Authentication does this brilliantly. The only difference between cookies and http auth is that with a cookie you send the remote user a unique identifier that is then sent back to you whenever that specific user visits your site. Because this happens automatically and people don't like that, some people turn this off. With HTTP authentication, instead of doing this automatically you have the user create a profile on your site where part of this will include a unique identifier and a password. Each time the user visits your site this information will be sent exactly like a cookie. Depending on how users configure their browsers they may have to log in at the beginning of a session although these days most browsers have these password managers that make this login procedure trivial. -Rasmus -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions Without Cookies or SID Passing...
If it ain't foolproof then only a fool would use it ... IP addresses are just about the worst way to identify anyone. -Original Message- From: Martin Towell [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 14, 2002 8:17 PM To: 'Rasmus Lerdorf'; Matthew Walker Cc: [EMAIL PROTECTED] Subject: RE: [PHP] Sessions Without Cookies or SID Passing... You're missing one method - using the user's IP address It's not a guaranteed fool-proof method, but if you don't want to use cookies or the URL, then this sorta works. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions Without Cookies or SID Passing...
Especially if they come through a gateway, or use internet connection sharing, you can't tell them apart using IP Addresses. Warren Vail Tools, Metrics Quality Processes (415) 667-7814 Pager (877) 774-9891 215 Fremont 02-658 -Original Message- From: Mark Charette [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 14, 2002 5:30 PM Cc: [EMAIL PROTECTED] Subject: RE: [PHP] Sessions Without Cookies or SID Passing... If it ain't foolproof then only a fool would use it ... IP addresses are just about the worst way to identify anyone. -Original Message- From: Martin Towell [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 14, 2002 8:17 PM To: 'Rasmus Lerdorf'; Matthew Walker Cc: [EMAIL PROTECTED] Subject: RE: [PHP] Sessions Without Cookies or SID Passing... You're missing one method - using the user's IP address It's not a guaranteed fool-proof method, but if you don't want to use cookies or the URL, then this sorta works. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions Without Cookies or SID Passing...
Blah. That's a really ugly choice, but I suppose we may end up having to do that. I'd give my kingdom for always-on cookies. Ah well. I'll look into this some more once my current project is finished. Thanks for your advice. (And thanks to everyone else too) Matthew Walker Senior Software Engineer ePliant Marketing -Original Message- From: Rasmus Lerdorf [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 14, 2002 6:26 PM To: Matthew Walker Cc: [EMAIL PROTECTED] Subject: RE: [PHP] Sessions Without Cookies or SID Passing... Could you explain how this could be accomplished, because I'm not understanding how to do it. As I understand HTTP Authentication (correct me if I'm wrong), the user's computer still has to send a 'username/password' pair to perform the authentication. I can't see how this could be used to maintain session data. But maybe my mind is just trapped in a rut. Please enlighten me. The problem here is not where to store the session data. That's obvious. You store the session data on your server. The real problem is linking the session data (ie. the contents of a shopping cart) to a specific user so when that same user is surfing through your site, on every request you know which cart is his. And if he goes away and comes back later, you again can go find his cart and you know what is in it. Ergo, therefore, if you are able to uniquely identify the user you have solved your session problem. HTTP Authentication does this brilliantly. The only difference between cookies and http auth is that with a cookie you send the remote user a unique identifier that is then sent back to you whenever that specific user visits your site. Because this happens automatically and people don't like that, some people turn this off. With HTTP authentication, instead of doing this automatically you have the user create a profile on your site where part of this will include a unique identifier and a password. Each time the user visits your site this information will be sent exactly like a cookie. Depending on how users configure their browsers they may have to log in at the beginning of a session although these days most browsers have these password managers that make this login procedure trivial. -Rasmus --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions Without Cookies or SID Passing...
You're missing one method - using the user's IP address It's not a guaranteed fool-proof method, but if you don't want to use cookies or the URL, then this sorta works. Unless there's a firewall using NAT or a proxy cache involved. I know for a fact that our internal network only ever reports the address of our firewall. We run an Internet kiosk of sorts so if two or three people hit your site from inside our firewall they will all look like the same person. We're not alone in doing this sort of thing. CYA, Dave -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] sessions without cookies?
Hi, can someone point me toward a tutorial that shows how to register info (e.g. username, login status, and user preferences) and do this in a session without using cookies... is this even possible? thanks! duirfire -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] sessions without cookies?
You can use URL mode for PHP4 session if you want session w/o cookie. How about read this link? http://www.zend.com/zend/tut/session.php -- Yasuo Ohgaki "duirfire" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi, can someone point me toward a tutorial that shows how to register info (e.g. username, login status, and user preferences) and do this in a session without using cookies... is this even possible? thanks! duirfire -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] sessions without cookies
How can you get something like: header ("Location: $PHP_SELF?"); to redirect with the sessid in the url? In my tests, it redirects, but does not append the sessid. I have compiled with --enable-trans-sid. Transparent sid is working, I can use it on links like: A HREF="?php echo "$PHP_SELF?"; ?" and it works. I have put this on the links on my page, so that the session will be kept even if the user has cookies disabled. But if the user (who has cookies disabled) clicks on the browser back button, they go back to the first page and start a new session. Is there a way to redirect this first page back to itself quickly, with the sessid in the url, so that even a user with cookies disabled will not lose the session if they use the browser back or reload buttons? Thanks, Doug -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] sessions without cookies
How can you get something like: header ("Location: $PHP_SELF?"); to redirect with the sessid in the url? In my tests, it redirects, but does not append the sessid. I have compiled with --enable-trans-sid. Transparent sid is working, I can use it on links like: A HREF="?php echo "$PHP_SELF?"; ?" and it works. I have put this on the links on my page, so that the session will be kept even if the user has cookies disabled. But if the user (who has cookies disabled) clicks on the browser back button, they go back to the first page and start a new session. Is there a way to redirect this first page back to itself quickly, with the sessid in the url, so that even a user with cookies disabled will not lose the session if they use the browser back or reload buttons? *maybe* you can use header("Location: $PHP_SELF?$PHP_SESSID"); (or whatever variable is holding the session id... But you might just be testing with a broken browser that is doing caching in a bad/weird way... Test with some other browsers before you get too carried away, and be sure you know what's happening. -- Visit the Zend Store at http://www.zend.com/store/ Wanna help me out? Like Music? Buy a CD: http://l-i-e.com/artists.htm Volunteer a little time: http://chatmusic.com/volunteer.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] sessions without cookies?
Would there be any point in using php sessions if you aren't using cookies? You have to store login info anyway, why not just use a temp table to store transaction info and write to the database at the end of a session? From what I've read on sessions, you have to use cookies thanks -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] sessions without cookies?
if yours only storeing one or two variables in a db, dont mind writing either functions to store all this in the db, or having 5-10 lines of code per page to this then fine. But sessions are so simple... ? session_start(); $test[] = '123'; $test[] = '456'; $test[] = '789' $someclass = new product_class(); $SessionID = time(); session_register('test'); session_register('someclass'); session_register('SessionID'); ? three lines of code, I can store text, arrays, class's all in three lines of code, four if you count session_start(). now one those vars have been registered you no longer have to execute session_register() everytime you change something, its all automatic. I use sessions because they are so simple. I cant say for sure but a good guess would be that file I/O from sessions would be less overhead then mysql_db overhead. -- Chris Lee Mediawaveonline.com [EMAIL PROTECTED] "Noel Akins" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Would there be any point in using php sessions if you aren't using cookies? You have to store login info anyway, why not just use a temp table to store transaction info and write to the database at the end of a session? From what I've read on sessions, you have to use cookies thanks -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]