Re: [PHP] sessions without cookies *or* URLs
John, et al -- ...and then John W. Holmes said... % % You can pass the session ID in a form, too. Just use POST, and make it a % hidden element passed to the next page. Yeah, I figured that. % % input type=hidden name=PHPSESSID value=?=$PHPSESSID? % % It's no different than passing it in the URL. I hope you're not thinking Except the URL is cleaner :-) % that it's more secure by doing it this way. Either way the data is % coming from the user and it can't be trusted and it can be modified. Agreed. % % I don't know what this phobia is about passing something in the URL... First, it's just plain cluttered :-) Second, though, it would be nice to not put the user's password right in the URL to then hang out in his browser goto cache, so we have to change *sometthing*, and if we can clean up the URL while we're at it that would be nice. % % ---John Holmes... Thanks HAND :-D -- David T-G * It's easier to fight for one's principles (play) [EMAIL PROTECTED] * than to live up to them. -- fortune cookie (work) [EMAIL PROTECTED] http://www.justpickone.org/davidtg/Shpx gur Pbzzhavpngvbaf Qrprapl Npg! msg81331/pgp0.pgp Description: PGP signature
Re: [PHP] sessions without cookies *or* URLs
Justin, et al -- ...and then Justin French said... % % on 07/10/02 11:32 AM, David T-G ([EMAIL PROTECTED]) wrote: % % It's a start; it confirms some of what I think I understand about % sessions. Now if only I can get the session ID out of the URL without % using any cookies... Any ideas, anyone? % % % I Thought I made it clear, but I'll try again :) Thanks :-) % % You have three options for maintaining state: % % - Cookies % - URL % - POSTed forms OK. I was afraid of that... % % The most common method is plain cookies. But if you want guaranteed state, Sure, but I know that cookies won't work, so that rules them out. % then URL is the answer. My main problem with the URL method is that it % requires the writer(s) to be careful when typing links... ensuring that they Exactly. It's cluttered and you have to be sure to get it right if you're typing it in. % have the session ID in them. Impossible for a CMS. The answer is % enabel_trans_sid. Well, sorta :-) % % More and more hosts are compiling with enable_trans_sid... what this does % is: attempt to pass the SID around in a cookie. If this fails, it will Right. % re-write any relative URLs in your pages to include the session ID... it's So I can code without having to put the ID on the URLs myself? So the transparent-ness is for the programmer? Well, I do like that... % the best of both worlds... transparent cookies if possible, otherwise the % SID is passed around in a URL. Right. % % % So, this rules out a complaint about complicated URLs, because you don't % have to type them. I may not have to type it as a programmer, but the user might have to type it as a surfer. % % % I urge you to look around all the big sites... if they need to maintain % state (a session) they do so with URLs... amazon.com, whatever -- they all % do it. Yeah, I know. % % Why do you not wish to use URLs? Because they're cluttered and it puts the session ID also in the user's goto cache. % % % Justin Thanks HAND :-D -- David T-G * It's easier to fight for one's principles (play) [EMAIL PROTECTED] * than to live up to them. -- fortune cookie (work) [EMAIL PROTECTED] http://www.justpickone.org/davidtg/Shpx gur Pbzzhavpngvbaf Qrprapl Npg! msg81334/pgp0.pgp Description: PGP signature
Re: [PHP] sessions without cookies *or* URLs
on 07/10/02 7:18 PM, David T-G ([EMAIL PROTECTED]) wrote: % re-write any relative URLs in your pages to include the session ID... it's So I can code without having to put the ID on the URLs myself? So the transparent-ness is for the programmer? Well, I do like that... Yes. % So, this rules out a complaint about complicated URLs, because you don't % have to type them. I may not have to type it as a programmer, but the user might have to type it as a surfer. Nope. Why would they type it? The session is managed by PHP's session functions... if 'page.php' has a session_start() call, it will assign a PHPSESSID. Yes, they may acidently bookmark or favourite a session ID, and you'd have to read up / test on the implications of this, but given there are only three options, you have to work through them. If they work for amazon, they can work for you... If you rule out cookies and POST, then guess what you're left with :) Justin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] sessions without cookies *or* URLs
% The most common method is plain cookies. But if you want guaranteed state, Sure, but I know that cookies won't work, so that rules them out. Won't work, or you don't want to use them? % So, this rules out a complaint about complicated URLs, because you don't % have to type them. I may not have to type it as a programmer, but the user might have to type it as a surfer. Why would the user have to type in a URL with a session id? Your session ids are only good while the user is active and they will expire after a certain amount of time. % Why do you not wish to use URLs? Because they're cluttered and it puts the session ID also in the user's goto cache. Again, why does that matter because that ID is only good while the user is active. When they log out, it's worthless, or after a certain amount of inactive time, it's worthless... ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] sessions without cookies *or* URLs
Hi, all -- I've seen a recent flurry of discussion on sessions, and that's good; lovely how that has shown up just as I need to dig into sessions. I think I've come to understand, though, that you can't manage sessions without either URL extensions or cookies, and that's bad (for me, at least). Is that a correct understanding? It seems that using forms to pass the session token would work, but that means having all buttons instead of links, which has its own disadvantages. Is there any other way to get data to the server? We currently use the URL to pass variables but we don't want to hang the page password out there :-) and so we have to maove away from that somehow, and it would be nice if we could get away from URL mangling entirely. Cookies aren't an option, though. TIA HAND :-D -- David T-G * It's easier to fight for one's principles (play) [EMAIL PROTECTED] * than to live up to them. -- fortune cookie (work) [EMAIL PROTECTED] http://www.justpickone.org/davidtg/Shpx gur Pbzzhavpngvbaf Qrprapl Npg! msg81262/pgp0.pgp Description: PGP signature
Re: [PHP] sessions without cookies *or* URLs
I think you're under a little misconception about how sessions are used. Maintaining a session is simply just having a unique identifier for each user, so that the server can recognise the user from page to page, maintaining state. Typically this is done by passing a session id around in he URL or cookies or POSTing forms. A session ID is typically a long unique number -- that's it. What you then do associate or register data TO that Session ID... this data is stored on the SERVER, and NOT passed around in the URL. So you pass around PHPSESSID=198235021612423 in the url or a cookie, and assign data to that session... all of which is stored server side. The session with the id 198235021612423 may have a username, password, shoe size, favourite colour, etc etc all attached to it, done with either: $_SESSION['shoesize'] = 14; // new register globals OFF method or $shoesize = 14; session_register(shoesize); // old method Therefor, I can see no need for anything other than the session ID to be passed around in the URL. Hope this clears it up! Justin French on 06/10/02 9:26 PM, David T-G ([EMAIL PROTECTED]) wrote: Hi, all -- I've seen a recent flurry of discussion on sessions, and that's good; lovely how that has shown up just as I need to dig into sessions. I think I've come to understand, though, that you can't manage sessions without either URL extensions or cookies, and that's bad (for me, at least). Is that a correct understanding? It seems that using forms to pass the session token would work, but that means having all buttons instead of links, which has its own disadvantages. Is there any other way to get data to the server? We currently use the URL to pass variables but we don't want to hang the page password out there :-) and so we have to maove away from that somehow, and it would be nice if we could get away from URL mangling entirely. Cookies aren't an option, though. TIA HAND :-D -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] sessions without cookies *or* URLs
Justin, et al -- ...and then Justin French said... % % I think you're under a little misconception about how sessions are used. Perhaps. I'm new to them :-) % Maintaining a session is simply just having a unique identifier for each % user, so that the server can recognise the user from page to page, % maintaining state. Right. And since it can recognize the user, it can store all sorts of things for him, like the fact that he's been authenticated and what function he did last and so on. Right? % % Typically this is done by passing a session id around in he URL or cookies % or POSTing forms. A session ID is typically a long unique number -- that's % it. Right. But it's the in the URL or cookies that's a problem for me. % % % What you then do associate or register data TO that Session ID... this data % is stored on the SERVER, and NOT passed around in the URL. I understand enough that the data itself isn't in the URL, and that's good (because some of these page comments get long!). % % % So you pass around PHPSESSID=198235021612423 in the url or a cookie, and % assign data to that session... all of which is stored server side. Are those the only ways that I can pass it around? Is there anything else? [Note that I've come to the conclusion that they are and there isn't except perhaps a POST form, but I'd love to be pleasantly surprised.] % % The session with the id 198235021612423 may have a username, password, shoe % size, favourite colour, etc etc all attached to it, done with either: Good deal; that's what I like. % % $_SESSION['shoesize'] = 14; // new register globals OFF method % % or % % $shoesize = 14; % session_register(shoesize); // old method Right. % % % Therefor, I can see no need for anything other than the session ID to be % passed around in the URL. % % Hope this clears it up! It's a start; it confirms some of what I think I understand about sessions. Now if only I can get the session ID out of the URL without using any cookies... Any ideas, anyone? % % % Justin French TIA HAND :-D -- David T-G * It's easier to fight for one's principles (play) [EMAIL PROTECTED] * than to live up to them. -- fortune cookie (work) [EMAIL PROTECTED] http://www.justpickone.org/davidtg/Shpx gur Pbzzhavpngvbaf Qrprapl Npg! msg81311/pgp0.pgp Description: PGP signature
RE: [PHP] sessions without cookies *or* URLs
You can pass the session ID in a form, too. Just use POST, and make it a hidden element passed to the next page. input type=hidden name=PHPSESSID value=?=$PHPSESSID? It's no different than passing it in the URL. I hope you're not thinking that it's more secure by doing it this way. Either way the data is coming from the user and it can't be trusted and it can be modified. I don't know what this phobia is about passing something in the URL... ---John Holmes... -Original Message- From: David T-G [mailto:[EMAIL PROTECTED]] Sent: Sunday, October 06, 2002 9:33 PM To: PHP General list Cc: Justin French Subject: Re: [PHP] sessions without cookies *or* URLs Justin, et al -- ...and then Justin French said... % % I think you're under a little misconception about how sessions are used. Perhaps. I'm new to them :-) % Maintaining a session is simply just having a unique identifier for each % user, so that the server can recognise the user from page to page, % maintaining state. Right. And since it can recognize the user, it can store all sorts of things for him, like the fact that he's been authenticated and what function he did last and so on. Right? % % Typically this is done by passing a session id around in he URL or cookies % or POSTing forms. A session ID is typically a long unique number -- that's % it. Right. But it's the in the URL or cookies that's a problem for me. % % % What you then do associate or register data TO that Session ID... this data % is stored on the SERVER, and NOT passed around in the URL. I understand enough that the data itself isn't in the URL, and that's good (because some of these page comments get long!). % % % So you pass around PHPSESSID=198235021612423 in the url or a cookie, and % assign data to that session... all of which is stored server side. Are those the only ways that I can pass it around? Is there anything else? [Note that I've come to the conclusion that they are and there isn't except perhaps a POST form, but I'd love to be pleasantly surprised.] % % The session with the id 198235021612423 may have a username, password, shoe % size, favourite colour, etc etc all attached to it, done with either: Good deal; that's what I like. % % $_SESSION['shoesize'] = 14; // new register globals OFF method % % or % % $shoesize = 14; % session_register(shoesize); // old method Right. % % % Therefor, I can see no need for anything other than the session ID to be % passed around in the URL. % % Hope this clears it up! It's a start; it confirms some of what I think I understand about sessions. Now if only I can get the session ID out of the URL without using any cookies... Any ideas, anyone? % % % Justin French TIA HAND :-D -- David T-G * It's easier to fight for one's principles (play) [EMAIL PROTECTED] * than to live up to them. -- fortune cookie (work) [EMAIL PROTECTED] http://www.justpickone.org/davidtg/Shpx gur Pbzzhavpngvbaf Qrprapl Npg! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] sessions without cookies *or* URLs
on 07/10/02 11:32 AM, David T-G ([EMAIL PROTECTED]) wrote: It's a start; it confirms some of what I think I understand about sessions. Now if only I can get the session ID out of the URL without using any cookies... Any ideas, anyone? I Thought I made it clear, but I'll try again :) You have three options for maintaining state: - Cookies - URL - POSTed forms The most common method is plain cookies. But if you want guaranteed state, then URL is the answer. My main problem with the URL method is that it requires the writer(s) to be careful when typing links... ensuring that they have the session ID in them. Impossible for a CMS. The answer is enabel_trans_sid. More and more hosts are compiling with enable_trans_sid... what this does is: attempt to pass the SID around in a cookie. If this fails, it will re-write any relative URLs in your pages to include the session ID... it's the best of both worlds... transparent cookies if possible, otherwise the SID is passed around in a URL. So, this rules out a complaint about complicated URLs, because you don't have to type them. I urge you to look around all the big sites... if they need to maintain state (a session) they do so with URLs... amazon.com, whatever -- they all do it. Why do you not wish to use URLs? Justin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php