Results 1 to 3 of 3
  1. #1
    Join Date
    Sep 2002
    Location
    Illinois
    Posts
    2,304

    PHP Session Url Rewriting Problem

    Greetings

    I just noticed one strange thing in PHP session process.

    By default PHP (since php 4.1.2) will add session_id to all html <a href="..."></a> tags

    Here's what I don't get.

    When I put <a href="test.php">testing</a> into session enabled php script, php would add session_id

    When I put full link <a href="http://www.domain.com/test.php">testing</a> into session enabled php script, php would NOT add session_id

    This is the first time I came to this problem, did anyone experienced the same?

    PHP 4.3.5

    Thanks
    How's my programming? Call 1-800-DEV-NULL

  2. #2
    Join Date
    Mar 2004
    Location
    USA
    Posts
    4,342
    Hi...

    I think that you might have misunderstood the process.

    In PHP if you use cookies+sessions, nothing is required from a programmer's view.

    If you decided to only use sessions without cookies, it then will be very tricky. Whenever you make a link, you will have to add this to the end of the link <? echo SID:?>. If for one link you do not do that, the whole process is shot..

    I never knew and heared that PHP adds them to links by default!

    Peace,
    Testing 1.. Testing 1..2.. Testing 1..2..3...

  3. #3
    Join Date
    Sep 2002
    Location
    Illinois
    Posts
    2,304
    I understand the process of PHP sessions. I turned off cookies by myself and tested by putting diffrent urls.

    Since version 4.1.2 PHP adds session id to the url by default.

    From php.net/session

    session.use_trans_sid boolean

    session.use_trans_sid whether transparent sid support is enabled or not. Defaults to 0 (disabled).

    Note: For PHP 4.1.2 or less, it is enabled by compiling with --enable-trans-sid. From PHP 4.2.0, trans-sid feature is always compiled.

    URL based session management has additional security risks compared to cookie based session management. Users may send a URL that contains an active session ID to their friends by email or users may save a URL that contains a session ID to their bookmarks and access your site with the same session ID always, for example.
    The problem is that it wouldn't add session_id to the urls like http://www.domain.com
    How's my programming? Call 1-800-DEV-NULL

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •