RE: [PHP] Re: session cookies enabled?
On 09 May 2007 16:36, [EMAIL PROTECTED] wrote: Ford, Mike writes: You can also set up php.ini and use the built-in sessions with http://php.net/session_start so that PHP will take care of this for you. That is what I was intending to do. How do I find out if whether or not the session cookie was accepted using the built-in sessions? I found no function for such a test. Check the SID constant after you've done session_start(). If it has an empty value, the session is using cookies; otherwise, it'll have a value of the form 'sessionname=sessionid', which is what is appended to the URL (or inserted in forms as a hidden value) to propagate the session-id. Interesting idea. This brings up a question. In order to decide whether to use cookies or SID the built-in sessions must be testing to see if the user's browser will accept the session cookies. How do they do that? By sending it out and checking to see whether it comes back on the next page. Assuming your setup is: session.use_cookies = On session.use_only_cookies = Off session.use_trans_sid = On Then the sequence is this: 1. The first page involving a session will *both* send the cookie *and* append the SID to URLs in the page. 2. So the next page request will return the SID, and if cookies are enabled also the cookie. 3. On starting the session for this page, PHP will first look for the cookie: if it's present, its value will be used and SID defined as empty; if not, the browser must not be accepting cookies, so the value from the URL query string is used and SID is defined with the matching string. 4. PHP now knows whether cookies are in use *for this request*, and *either* sends the cookie *or* appends the SID to URLs in the page. 5. Requests from this page will thus *either* return the cookie *or* include the SID as a URL get parameter. 6. Go back to 3. Note that with this setup, you will *always* get at least one request with the SID in the URL. Any site that doesn't do this has use_only_cookies turned on or/and use_trans_sid turned off. If they do it by the 2 page, send a cookie and see if it comes back to the second page method we have been talking about, then somehow, they are sureptiously inserting a forward to a non- existant page! Right? How do they do that? No, see above: they simply wait for the next regular page request to come in and see if the cookie came with it. Nothing surreptitious or super-clever. Cheers! Mike - Mike Ford, Electronic Information Services Adviser, JG125, The Headingley Library, James Graham Building, Leeds Metropolitan University, Headingley Campus, LEEDS, LS6 3QS, United Kingdom Email: [EMAIL PROTECTED] Tel: +44 113 812 4730 Fax: +44 113 812 3211 To view the terms under which this email is distributed, please go to http://disclaimer.leedsmet.ac.uk/email.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Re: session cookies enabled?
Mike, Thanks for the super clear explanation. This brings up a question. In order to decide whether to use cookies or SID the built-in sessions must be testing to see if the user's browser will accept the session cookies. How do they do that? By sending it out and checking to see whether it comes back on the next page. ... That being the case I can never find out (using the built-in sessions) until the second page request and it will always include the session cookie in the URL. Which means the value of the seesion cookie will be exposed, even if I am using SSL. :( Back to the drawing board... Best, Craig -- - Virtual Phonecards - Instant Pin by Email - - Large Selection - Great Rates- - http://speedypin.com/?aff=743co_branded=1 - -- ** ** * Craig Spencer * * [EMAIL PROTECTED]* ** ** -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: session cookies enabled?
[EMAIL PROTECTED] wrote: That being the case I can never find out (using the built-in sessions) until the second page request and it will always include the session cookie in the URL. Which means the value of the seesion cookie will be exposed, even if I am using SSL. :( Back to the drawing board... While using TRANS IDs are ugly, they will show no more or less information to the user than a session cookie contains. Most browsers have built-in support for viewing cookie contents these days. Doing so will show your PHP Session ID clearly. Trans IDs are no different, just more 'obvious' being in the URL and all. The actual data displayed is the same however. Cheers, Rich -- Zend Certified Engineer http://www.corephp.co.uk Never trust a computer you can't throw out of a window -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: session cookies enabled?
On May 10, 2007, at 11:40 AM, Richard Davey wrote: [EMAIL PROTECTED] wrote: That being the case I can never find out (using the built-in sessions) until the second page request and it will always include the session cookie in the URL. Which means the value of the seesion cookie will be exposed, even if I am using SSL. :( Back to the drawing board... While using TRANS IDs are ugly, they will show no more or less information to the user than a session cookie contains. Most browsers have built-in support for viewing cookie contents these days. Doing so will show your PHP Session ID clearly. Trans IDs are no different, just more 'obvious' being in the URL and all. The actual data displayed is the same however. And the session id is open to being stored in a bookmark or worse, sent to someone else through a cut and paste of the URL. Depending on what information that id controls and how long the sessions are kept around id's in the URL could be a very bad thing indeed. Ed -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: session cookies enabled?
Edward Vermillion wrote: And the session id is open to being stored in a bookmark or worse, sent to someone else through a cut and paste of the URL. Depending on what information that id controls and how long the sessions are kept around id's in the URL could be a very bad thing indeed. Agreed (depending entirely on how your app was written), my point was simply that a trans ID will never give away anything more than a cookie does. In that respect, they're identical. Cheers, Rich -- Zend Certified Engineer http://www.corephp.co.uk Never trust a computer you can't throw out of a window -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Re: session cookies enabled?
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 08 May 2007 20:57 You can also set up php.ini and use the built-in sessions with http://php.net/session_start so that PHP will take care of this for you. That is what I was intending to do. How do I find out if whether or not the session cookie was accepted using the built-in sessions? I found no function for such a test. Check the SID constant after you've done session_start(). If it has an empty value, the session is using cookies; otherwise, it'll have a value of the form 'sessionname=sessionid', which is what is appended to the URL (or inserted in forms as a hidden value) to propagate the session-id. Cheers! Mike Mike Ford, Electronic Information Services Adviser, JG125, The Headingley Library, James Graham Building, Headingley Campus, Beckett Park, LEEDS, LS6 3QS United Kingdom Tel: +44 113 812 4730 Fax: +44 113 812 3211 To view the terms under which this email is distributed, please go to http://disclaimer.leedsmet.ac.uk/email.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: session cookies enabled?
Ford, Mike writes: You can also set up php.ini and use the built-in sessions with http://php.net/session_start so that PHP will take care of this for you. That is what I was intending to do. How do I find out if whether or not the session cookie was accepted using the built-in sessions? I found no function for such a test. Check the SID constant after you've done session_start(). If it has an empty value, the session is using cookies; otherwise, it'll have a value of the form 'sessionname=sessionid', which is what is appended to the URL (or inserted in forms as a hidden value) to propagate the session-id. Interesting idea. This brings up a question. In order to decide whether to use cookies or SID the built-in sessions must be testing to see if the user's browser will accept the session cookies. How do they do that? If they do it by the 2 page, send a cookie and see if it comes back to the second page method we have been talking about, then somehow, they are sureptiously inserting a forward to a non- existant page! Right? How do they do that? Best, Craig -- - Virtual Phonecards - Instant Pin by Email - - Large Selection - Great Rates- - http://speedypin.com/?aff=743co_branded=1 - -- ** ** * Craig Spencer * * [EMAIL PROTECTED]* ** ** -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: session cookies enabled?
On Wed, May 9, 2007 10:36 am, [EMAIL PROTECTED] wrote: This brings up a question. In order to decide whether to use cookies or SID the built-in sessions must be testing to see if the user's browser will accept the session cookies. How do they do that? The same way you would do it. Actually, they might have just used: $cookie_name = session_name(); if (isset($_COOKIE[$cookie_name])){ $session_id = $_COOKIE[$cookie_name]; } elseif (isset($_REQUEST[$cookie_name])){ $session_id = $_REQUEST[$cookie_name]; } else{ $session_id = uniquid(); } If they do it by the 2 page, send a cookie and see if it comes back to the second page method we have been talking about, then somehow, they are sureptiously inserting a forward to a non- existant page! Right? How do they do that? No, that's not how it works. JUST send the dang cookie on every page. And check if it's there on every page. And whatever first page the user gets to, with no cookie, be sure you send them suitable content for having no cookie. -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: session cookies enabled?
Richard Lynch writes: How does one check to see if the user's browser accepts session cookies? Apparently I should have said cookie and left off the 's' as that is what I had in mind. Send one cookie, see if it comes back, and if it does, tie everything to that cookie. OK. So how do I see if it comes back? I send the user a page that tries to set a session cookie. That page would then have to forward him to a second page which would check for the cookie being sent. Right? So I there is nothing I can check so I can do it with a single page? You can also set up php.ini and use the built-in sessions with http://php.net/session_start so that PHP will take care of this for you. That is what I was intending to do. How do I find out if whether or not the session cookie was accepted using the built-in sessions? I found no function for such a test. Best, Craig -- - Virtual Phonecards - Instant Pin by Email - - Large Selection - Great Rates- - http://speedypin.com/?aff=743co_branded=1 - -- ** ** * Craig Spencer * * [EMAIL PROTECTED]* ** ** -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: session cookies enabled?
setcookie(cookie_name, value); //redirect to another page using header header(location:.$your_url); //check in $your_url for the presence for the cookie if ($_COOKIE[cookie_name] == value){ //cookies are enabled - add your code } else{ //cookies are disabled - add your code } Hope that helps! -- itoctopus - http://www.itoctopus.com [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Richard Lynch writes: How does one check to see if the user's browser accepts session cookies? Apparently I should have said cookie and left off the 's' as that is what I had in mind. Send one cookie, see if it comes back, and if it does, tie everything to that cookie. OK. So how do I see if it comes back? I send the user a page that tries to set a session cookie. That page would then have to forward him to a second page which would check for the cookie being sent. Right? So I there is nothing I can check so I can do it with a single page? You can also set up php.ini and use the built-in sessions with http://php.net/session_start so that PHP will take care of this for you. That is what I was intending to do. How do I find out if whether or not the session cookie was accepted using the built-in sessions? I found no function for such a test. Best, Craig -- - Virtual Phonecards - Instant Pin by Email - - Large Selection - Great Rates- - http://speedypin.com/?aff=743co_branded=1 - -- ** ** * Craig Spencer * * [EMAIL PROTECTED]* ** ** -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: session cookies enabled?
On Tue, May 8, 2007 2:56 pm, [EMAIL PROTECTED] wrote: Richard Lynch writes: Send one cookie, see if it comes back, and if it does, tie everything to that cookie. OK. So how do I see if it comes back? if (isset($_COOKIE['foo'])){ //cookie came back } else{ //cookie did NOT come back } I send the user a page that tries to set a session cookie. That page would then have to forward him to a second page which would check for the cookie being sent. Right? Yes. Send the cookie with the homepage, login page, or whatever they are first going to see. Don't show them anything they shouldn't see without the cookie. Check if they have a cookie. It's probably best to just do all this in an include file that you pull in on any page that needs cookies. You can even make the include file abort the rest of the page output if you want to require them to login with a valid session before going any further. So I there is nothing I can check so I can do it with a single page? Oh. No. It does seem like that would be a Nifty thing for the browser to have sent with the first request, but that's just not the way it works. It's an inherent 2-request process. HTTP Request - Reply with Cookie - HTTP Request with Cookie (or not) You'd have to duke it out with Mozilla and Microsoft to get that to change, and they probably aren't gonna want to send a pre-acceptane-of-cookie letter of intent with every HTTP requrest... Especially not when the vast majority of HTTP requests don't need cookies anyway... Well, I never did a statistical analysis of that, but across the 'net as whole? Yeah, I think it's a pretty safe statement... You can also set up php.ini and use the built-in sessions with http://php.net/session_start so that PHP will take care of this for you. That is what I was intending to do. How do I find out if whether or not the session cookie was accepted using the built-in sessions? You don't. You turn on the Cookies and the trans_sid in php.ini, and let PHP worry about whether it was cookies or not and re-write your URLs if it wasn't. Or maybe it just re-writes them no matter what anyway, but prefers the Cookie if it's there? Whatever. If, after doing that, you still feel the need to know if they used a cookie or not, then you can use http://php.net/set_session_params and choose a cookie/session name, and then you can test with: if (isset($_COOKIE['whatever_you_chose_in_set_session_params'])){ } and then you'll know if they used Cookies or Trans SID in URL... But you won't really care, as all the info you need is in $_SESSION either way, so it doesn't matter if they used a cookie or the ID in the URL or sent a little squirrel along the wire with an engraved acorn. -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: session cookies enabled?
On Tue, May 8, 2007 5:50 pm, itoctopus wrote: setcookie(cookie_name, value); //redirect to another page using header header(location:.$your_url); This will fail on some legacy browsers, if you need legacy browser support. In *MOST* architectures, your visitor can be given the cookie on a page before the cookie-needing page, or they can be given alternate content (i.e., a login) until you are happy with whatever cookie (and its implied state of existence) are presented. -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Re: Session cookies
I don't use cookies when I use sessions.. Saves hassles Regards Chris Kay -Original Message- From: Erwin [mailto:erwin;isiz.com] Sent: Monday, 4 November 2002 6:50 PM To: [EMAIL PROTECTED] Subject: [PHP] Re: Session cookies When the user logs in , i create a session with session varialbles, the session cookie is saved on clients computer. When i log off i say session_unset(); session_destroy(); setcookie(session_name()); The session in the tmp is deleted , but the cookie is still there , i know this because when i login , the same session id is used ! Why is that ? Because you use the same session to connect from client to server. You don't close your browser, don't wait 20 minutes (or something like that), so the webserver knows you are the same. The session between the client and server is not yet gone. It's also possible that you need to set your cookie in the past. You're just setting a cookie with setcookie(session_name()). If you want it destroyed, set it some time ago, like setcookie(session_name(),-3600). The session id changes when you close the browser , as the default is 0. Not because default is 0, but because there isn't any session yet. HTH Erwin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Session cookies
When the user logs in , i create a session with session varialbles, the session cookie is saved on clients computer. When i log off i say session_unset(); session_destroy(); setcookie(session_name()); The session in the tmp is deleted , but the cookie is still there , i know this because when i login , the same session id is used ! Why is that ? Because you use the same session to connect from client to server. You don't close your browser, don't wait 20 minutes (or something like that), so the webserver knows you are the same. The session between the client and server is not yet gone. It's also possible that you need to set your cookie in the past. You're just setting a cookie with setcookie(session_name()). If you want it destroyed, set it some time ago, like setcookie(session_name(),-3600). The session id changes when you close the browser , as the default is 0. Not because default is 0, but because there isn't any session yet. HTH Erwin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: session cookies
Hi Jeff, I manage the website for the credit report reseller. We don't normally use cookie but we use session only. You were expressing some concern about someone knowing the session id. What we normally use is we used the encrypted session id and use use long aphanumeric number. This make it hard for someone to crack the code. We also use certain features that check the session id and if it is a mismatch, we logged the user out. The only problem we had is that when the user closed the browser, the session was not destroyed but we have a work around to it. That is when the user logged in again, we can tell if it is the same user or not and issue a new session id. We also use the feature like logging the user out if the user is idle for 15 mintues. If you want a copy of the sample code and analyze it then give me a holler! Then I'll post it here. By the way, I enjoyed your other posting about the encryption problem with libmcrypt. I had the same problem as yours until I read it and found out that I need to install the mcrypt too. So, I filed the PHP bug making a request that the documentation be updated to include more information about mcrypt. FletchSOD Jeff Bluemel [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I put this block of code in, and all of the array's they should send back are 100% blank. I will try the protoscope to see what I can turn up on this. Chris Shiflett [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Jeff, One quick thought ... Is your cookie domain the same domain as the URL domain you are using to test this? If not, the browser will not send the cookie, so that is a potential reason for this behavior. If the domain is the same, I see no reason why this shouldn't work, but I have two ideas you can try. 1. Rather than using the name of the cookie, try this on the receiving page: pre ? print_r($_COOKIE); ? /pre This should dump the entire array to the screen and would reveal any naming problems. 2. View the HTTP transactions themselves to make sure the proper Set-Cookie and Cookie headers are being used. There are several utilities that can help do this, and I recently wrote one in PHP (it's a quick hack though) you can get at http://protoscope.org/. The messages of interest are the original HTTP response from your Web server (which should contain the Set-Cookie header) and any future HTTP request (which should contain the Cookie header). This is the most reliable way to really analyze these types of problems. Hopefully these ideas will help uncover something. Chris Jeff Bluemel wrote: ok - no cookie exists... I have Netscape set to accept all cookies. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: session cookies
Chris and I have been working on this through private emails, and we (I mean he) finally figured out what the problem was... session.cookie_path was set to /tmp instead of /. I wanted to thank him for taking the time to help me work through this... Jeff Chris Shiflett [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Jeff, One quick thought ... Is your cookie domain the same domain as the URL domain you are using to test this? If not, the browser will not send the cookie, so that is a potential reason for this behavior. If the domain is the same, I see no reason why this shouldn't work, but I have two ideas you can try. 1. Rather than using the name of the cookie, try this on the receiving page: pre ? print_r($_COOKIE); ? /pre This should dump the entire array to the screen and would reveal any naming problems. 2. View the HTTP transactions themselves to make sure the proper Set-Cookie and Cookie headers are being used. There are several utilities that can help do this, and I recently wrote one in PHP (it's a quick hack though) you can get at http://protoscope.org/. The messages of interest are the original HTTP response from your Web server (which should contain the Set-Cookie header) and any future HTTP request (which should contain the Cookie header). This is the most reliable way to really analyze these types of problems. Hopefully these ideas will help uncover something. Chris Jeff Bluemel wrote: ok - no cookie exists... I have Netscape set to accept all cookies. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: session cookies
I put this block of code in, and all of the array's they should send back are 100% blank. I will try the protoscope to see what I can turn up on this. Chris Shiflett [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Jeff, One quick thought ... Is your cookie domain the same domain as the URL domain you are using to test this? If not, the browser will not send the cookie, so that is a potential reason for this behavior. If the domain is the same, I see no reason why this shouldn't work, but I have two ideas you can try. 1. Rather than using the name of the cookie, try this on the receiving page: pre ? print_r($_COOKIE); ? /pre This should dump the entire array to the screen and would reveal any naming problems. 2. View the HTTP transactions themselves to make sure the proper Set-Cookie and Cookie headers are being used. There are several utilities that can help do this, and I recently wrote one in PHP (it's a quick hack though) you can get at http://protoscope.org/. The messages of interest are the original HTTP response from your Web server (which should contain the Set-Cookie header) and any future HTTP request (which should contain the Cookie header). This is the most reliable way to really analyze these types of problems. Hopefully these ideas will help uncover something. Chris Jeff Bluemel wrote: ok - no cookie exists... I have Netscape set to accept all cookies. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: session cookies
ok - no cookie exists... I have Netscape set to accept all cookies. I'm wondering if it is in my link, or if it is a configuration error somewhere. here is a copy of the session options from my php.ini (as copied from Zend Server Center) Session data handler files Session save path/tmp Use cookies to store session ID On Session name DomIntCom Session auto start Off Cookie lifetime0 Cookie path /tmp Cookie domain xxx.xxx.xxx Session handler for serializing data php Garbage collection probability 1 Maximum lifetime of data 1440 HTTP referrer check Empty Session entropy length 0 Session entropy file /dev/urandom Session cache control method nocache Session cache expiration 180 Session use transient sid transport On Chris Shiflett [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Jeff, My apologies then. Somehow your response never arrived. It is still best to always reply all for things like this. You get the benefit of hearing several people's perspectives, and you also potentially help others who have the same question now or who may have it in the future (and check the list archives). Anyway, back to your problem ... Jeff Bluemel wrote: what I mean by this is it was my understanding when reading the sessions doc's that there was a way to for the system to use a stored system ID stored in an SID, but the information wouldn't be sent to the browser, but be stored in a cookie. Cookies are stored on the client, so they are also sent to the browser. Basically, the unique identifier (e.g., PHPSESSID) must be provided by the Web client in order for it to be associated with previous requests. The two most common methods of this are for it to send this information in a cookie (there is a Cookie header in the HTTP request) or as part of the query string in a URL (such as http://www.example.org/index.php?PHPSESSID=123456789) that it is requesting. With use_trans_sid set, PHP is going to append the session ID to the URL of links, etc., on: I tried setting the user_trans_sid = 0, but it still will not use a cookie. it doesn't appear to change anything when I play with these settings. Right. I was explaining (poorly looking back) what the use_trans_sid does. Basically, the idea is that the developer doesn't have to worry about how the unique identifier is passed back. This is the easiest way to use session management, because it is transparent for the most part. PHP will try both cookie and URL methods to maintain the unique identifier, and it will use only a cookie once it can determine that the client supports them. You are having a problem, it sounds like, with the Web client *not* sending back the cookie in subsequent requests. Thus, use_trans_sid will append the unique identifier to the URL every time, as it believes the client to not be supporting cookies (which might just be your problem). When you combine this with use_only_cookies (sp?), you are basically telling PHP to ignore the unique identifier if it is sent on the URL. Thus, it is not receiving the cookie, and it is being instructed to not use the URL variable. It has no way to identify the client and maintain state. Your problem boils down to one thing: the cookie is not getting passed back. Focus on this initially. Make sure your Web browser is accepting the cookie (you can configure most browsers to warn you before accepting a cookie, so that you can be certain it is being set), and try to make sure your PHP script is receiving the cookie like it thinks it should be. For example, if the cookie is named PHPSESSID, try this: ? echo cookie is [ . $_COOKIE[PHPSESSID] . ]br; ? If ths cookie is blank (e.g., cookie is []), you have identified your problem. Hopefully this will help you solve it. Happy hacking. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: session cookies
Jeff, One quick thought ... Is your cookie domain the same domain as the URL domain you are using to test this? If not, the browser will not send the cookie, so that is a potential reason for this behavior. If the domain is the same, I see no reason why this shouldn't work, but I have two ideas you can try. 1. Rather than using the name of the cookie, try this on the receiving page: pre ? print_r($_COOKIE); ? /pre This should dump the entire array to the screen and would reveal any naming problems. 2. View the HTTP transactions themselves to make sure the proper Set-Cookie and Cookie headers are being used. There are several utilities that can help do this, and I recently wrote one in PHP (it's a quick hack though) you can get at http://protoscope.org/. The messages of interest are the original HTTP response from your Web server (which should contain the Set-Cookie header) and any future HTTP request (which should contain the Cookie header). This is the most reliable way to really analyze these types of problems. Hopefully these ideas will help uncover something. Chris Jeff Bluemel wrote: ok - no cookie exists... I have Netscape set to accept all cookies. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: session cookies
I responded to this in a private email to you, and not on the forum... I did respond. I will post here again so there is no question; I want to force it to use a cookie that points to a transparent SID on my system. what I mean by this is it was my understanding when reading the sessions doc's that there was a way to for the system to use a stored system ID stored in an SID, but the information wouldn't be sent to the browser, but be stored in a cookie. With use_trans_sid set, PHP is going to append the session ID to the URL of links, etc., on: I tried setting the user_trans_sid = 0, but it still will not use a cookie. it doesn't appear to change anything when I play with these settings. Chris Shiflett [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... You've already posted this, and you never answered the questions that were asked. Thus, your question is every bit as unclear as the previous time. Perhaps if you put forth a little effort, we might also. Just a helpful suggestion, Chris Jeff Bluemel wrote: still looking for some solutions on this - anybody else have any suggestions? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: session cookies
Jeff, My apologies then. Somehow your response never arrived. It is still best to always reply all for things like this. You get the benefit of hearing several people's perspectives, and you also potentially help others who have the same question now or who may have it in the future (and check the list archives). Anyway, back to your problem ... Jeff Bluemel wrote: what I mean by this is it was my understanding when reading the sessions doc's that there was a way to for the system to use a stored system ID stored in an SID, but the information wouldn't be sent to the browser, but be stored in a cookie. Cookies are stored on the client, so they are also sent to the browser. Basically, the unique identifier (e.g., PHPSESSID) must be provided by the Web client in order for it to be associated with previous requests. The two most common methods of this are for it to send this information in a cookie (there is a Cookie header in the HTTP request) or as part of the query string in a URL (such as http://www.example.org/index.php?PHPSESSID=123456789) that it is requesting. With use_trans_sid set, PHP is going to append the session ID to the URL of links, etc., on: I tried setting the user_trans_sid = 0, but it still will not use a cookie. it doesn't appear to change anything when I play with these settings. Right. I was explaining (poorly looking back) what the use_trans_sid does. Basically, the idea is that the developer doesn't have to worry about how the unique identifier is passed back. This is the easiest way to use session management, because it is transparent for the most part. PHP will try both cookie and URL methods to maintain the unique identifier, and it will use only a cookie once it can determine that the client supports them. You are having a problem, it sounds like, with the Web client *not* sending back the cookie in subsequent requests. Thus, use_trans_sid will append the unique identifier to the URL every time, as it believes the client to not be supporting cookies (which might just be your problem). When you combine this with use_only_cookies (sp?), you are basically telling PHP to ignore the unique identifier if it is sent on the URL. Thus, it is not receiving the cookie, and it is being instructed to not use the URL variable. It has no way to identify the client and maintain state. Your problem boils down to one thing: the cookie is not getting passed back. Focus on this initially. Make sure your Web browser is accepting the cookie (you can configure most browsers to warn you before accepting a cookie, so that you can be certain it is being set), and try to make sure your PHP script is receiving the cookie like it thinks it should be. For example, if the cookie is named PHPSESSID, try this: ? echo cookie is [ . $_COOKIE[PHPSESSID] . ]br; ? If ths cookie is blank (e.g., cookie is []), you have identified your problem. Hopefully this will help you solve it. Happy hacking. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: session cookies
still looking for some solutions on this - anybody else have any suggestions? Jeff Bluemel [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... OK guys... here's my question - I'm using 4.2.3 and apache 1.3.26, and I've got sessions setup. however, it seems to be using an SID attached to the URL, and I want to force it to use a cookie that points to a transparent SID on my system. I've got the following options in my php.ini, but the system doesn't seem to ever use a cookie, and the sessions don't die. (that's my biggest concern is that the user has to login to the system EVERY time he visits the site.) session.use_cookies = 1 session.use_only_cookies = 1 session.use_trans_sid = 1 -- Thanks, Jeff Bluemel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: session cookies
You've already posted this, and you never answered the questions that were asked. Thus, your question is every bit as unclear as the previous time. Perhaps if you put forth a little effort, we might also. Just a helpful suggestion, Chris Jeff Bluemel wrote: still looking for some solutions on this - anybody else have any suggestions? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php