on 05/06/03 8:05 AM, Monty ([EMAIL PROTECTED]) wrote: > Hi Justin, > > I hear what you're saying about refusing people without cookies turned off, > and I really tried to make it work on my site, but, keep running into lots > of problems. I do have enable-trans-sid turned on, but, get inconsistent > results. For example, when someone logs out I return them to the log-in > page. Even though I've deleted all sessions vars and destroyed the session > before redirecting them, I noticed that the login page is full of PHPSESSID= > tags that are sometimes empty and sometimes filled with a session ID. This > happens whether or not I use session_start() at the beginning of my login > script. As a result, it totally screws up the log-in process. I was seeing > instances where it was appending two different PHPSESSIDs to the URL!
I'd have to see your logout script and login script but here's what happens (pretty much): 1. you request the first page with a session_start() 2. PHP doesn't know if you have cookies or not, so it appends the sid to all URLs AND sets a cookie. 3. any internal link you click on this page will have the SID attached, so it will appear in the URL of the second page you view. 4. the second page you view, PHP can see that there is a SID in the URL... if it also finds a cookie, then it can stop rewriting the URLs... if it can't find the cookie, then it keeps on rewriting URLs. Make sense? So, if your logout script kills the session, but your next page starts a new session, i would expect to see SID's in some URLs around the logout/login area, and I would expect the SID to change. What you need to do is turn off cookies in your browser, and actually test how this works in your app, preferably using very simple code (not your large app) from the PHP site's samples. If it works, then why worry about how???? If it doesn't work, post the code here, and we'll attempt to fix it. > And then there are things like header redirects (which you had a good > solution for) and javascript popups. Those are ignored by enable-trans-sid, > so, it means I have to go through all my scripts (there are many) and tweak > them to pass the SID to every URL. well, for a smart application, you'd have them all in a couple of include files or .js files, which you could easily search for things like window.open to point you to problems. or perhaps your definition of "degrade gracefully" may not include the SID being available in pop-ups (is it needed???) just to throw another spanner into it all, what happens if I have JS off? will I still be able to access the content of the pop-ups? i bet not :) perhaps now is the time to re-think all this stuff, decide if you are going to support everyone (which i would for any paying client with a wide target market), or skip over those who don't meet your definition of a web visitor. me personally, I would not have mission-critical parts of the site rely on cookies, javascript, or anything else client side, other than HTML with simple CSS. > The reason I decided against doing all this tweaking was because while > researching this online, I read many statements by developers saying that > passing Session IDs via the URL is more of a security risk than allowing > this to be done via cookies. As the site I'm working on will be a pay > membership site, it seems like a good idea to require cookies. both the cookie and URL based session passed over without SSL is insecure. i'd love to know who told you otherwise. given that your site has paid membership, this reinforces the need for you to reach as many paying customers as possible. > I realize I may be turning people away, which would also be the case for > those using ancient browsers. But, I don't have the level of programming > expertise or resources of companies like Amazon and MSN who probably have > very robust security systems in place even though they are passing sessions > via the URL. most of it has been done for you via PHP sessions... you just need to write a small few-page site from scratch using simple, clean code (most of which will be on php.net already) to learn what needs to be done, test test test, then apply your new wealth of knowledge to your existing application. or, turn them away -- i'm trying to tell you what should be done, i'm trying to tell you that sessions via the URL is not the issue... perhaps it's a simple coding mistake, or a lack of understanding of what happens, or perhaps you just don't what to know :) > I do appreciate your comments and insight on this, it makes me keep > thinking: should I? could I? I'd be interested in hearing how others have > dealt with requiring users to have cookies turned on for sessions, or not. no problem you know my stance :) justin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
