PHP Session Variables

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Hi all,

I'm not a overly experienced PHP programmer but I like to dabble and
I'm working on a 'semi-secure' member's area. Previous I have used
normal variables to determine the validity of a user.

i.e. Once the user has logged in, a random id is created an placed in
the database in their row and each secured page will have a URL like
this : .../secure.php?user=joebloggs&randid=324395
Each page looks up the username and checks it against the random id
(instead of their password for obvious reasons).

However, I want to remove this altogether so a page will just be like
'secure.php' so I've looked into session variables - another
interesting endeavour which was quite effective until the user logs in.

The URL then changes to
or something similar. Obviously, this doesn't happen when clicking a
link but the use of a login form causes this added variable to the URL.

Any thoughts on avoiding this? Or am i stuck with it if i want to use
the session variable approach?


Re: PHP Session Variables

Chenky wrote:
Quoted text here. Click to load it

This is controlled by a setting in php.ini:

session.use_cookies = 1

If session cookies are enabled, you shouldn't get the session ID
appended to the query string.  It might still use the query string if
the user has cookies disabled, however.


Re: PHP Session Variables

Quoted text here. Click to load it

you've forgoten about tarnsid :)

Ikciu  |  gg: 718845  |  yahoo: ikciu_irsa | www:

2be || !2be $this => mysql_query();  

Re: PHP Session Variables

Hey all,

Thanks for the fast response. The server which I'm using isn't my own -
I rent the space on the server - consequently, my provider does not
give me access to any core files and the like including php.ini.

So with the problem that not all people use cookies I guess I'm stuck
with the URl approach...

Ah well, thanks for the help everyone!


Re: PHP Session Variables

Chenky wrote:
Quoted text here. Click to load it

As you know, the client and the server must be in synch. That's why you
used the randid before you tried the session approach.

Both the randid and the session id have to be passed from the server to
the client and back.

They can do this in one of three ways:
  a) by the URL
  b) by cookies
  c) by POST in form fields

Option a) works everytime. Of course the URL gets the data appended to
option b) only works if the client has cookies enabled;
and option c) is not available for all pages -- so I'll ignore it from
now on :)

The session management in PHP can be configured for it to always *and*
*only* use cookies, or always *and only* use URL parameters, or try to
use cookies but fallback to URL parameters if cookies fail.

If your server is configured with this last option, the first time the
server starts a session it has to send the session id both in the URL
and in a cookie. When another request is received, if it has a cookie
the URL parameter will be dropped otherwise that's what PHP will use.

To avoid session tracking by URL check your php.ini for
    session.use_trans_sid = 0
    session.use_cookies = 1
    session.use_only_cookies = 1


File not found: (R)esume, (R)etry, (R)erun, (R)eturn, (R)eboot

Re: PHP Session Variables

Another thing to keep in mind is that if there arent cookies to use,
and you havent changed your php options, the url will almost always be
used. It is insecure, it is a trouble zone, in that its in the url. The
back button wont work, and it can be changed so you have to take care
of session management.

There are a few really good tutorials that would probably help you out
if you are up for the reading.


Pedro Graca wrote:
Quoted text here. Click to load it

Site Timeline