Session ID problem

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

I've this code in my form:
session_cache_limiter('private, must-revalidate');
 $UserID = 0;
 if (isset($_SESSION["UID"]) and $_SESSION["UID"] != "")
  $UserID = $_SESSION["UID"];}
if(!($UserID > 0)){
    echo 'error passing UserID';
<form name="FormSubmit" method="GET" action="<?php echo  

In this form I've a select with a javascript function as depending on the  
first value, I've to load a second select
<select NAME="select1" ID="select1" onChange="FormSubmit.submit();">

Now, when I set the confidentiality to "high" or "bloc all cookies" in IE6,  
as soon as the form is "submitted" by the value change (onChange), the  
UserID is empty and I've the error message on the form.

What's wrong ? the sessionid should be saved on the server and passed by the  
?SID, isn'it ?

Please help.


Re: Session ID problem

Quoted text here. Click to load it


Try viewing the source of the page being generated.

Quoted text here. Click to load it

This is wrong in so many ways:
1) you're using GET as the method on a URL which already contains get
2) you're using the deprecated long variable names (HTTP_SERVER_VARS)
3) you're passing unvalidated/unescaped input back to the browser
4) you should be putting the session in your output
5) using trans_sids is less secure than cookies - it opens up your
site to all sorts of attacks
6) if you're setting the config at runtime, presumably you've not
checked that it doesn't try to set a cookie - if it does, the the SID
constant is blank.

I'd also suggest getting rid of session_cache_limiter() and rolling
your own cache headers. It amkes implementing mixed caching policy
much easier if you only work to one model / API.

Go back and read the manual.


Site Timeline