I'm trying to track session data and merge several related services through a common server-side session (using Apache). One condition is that it won't use cookies to store the user data OR the session ID. Another is that the services we're merging use different languages, including PHP and Perl (Apache::Session module) so whatever I use needs to be supported by both of these.
My question - what is the best way to "know" the session id between pages? Posting it in the URL and using $_GET["PHPSESSID"] is one solution, but this seems like a hassle and is also open to attack if someone could "guess" a valid session ID. Or, would it better to avoid transferring session ids altogether and generate unique "names" on each page? What works well for generating the name? I'm thinking something like a hash of their IP plus a private key, but maybe someone knows problems with this or has a better/easier solution.
If you don't want to use cookies, then you need to pass a session ID through the URL. That's your only answer. Or use POST forms everywhere to "hide" the session id. I don't understand what you mean by "unique names on each page" but I don't think that's any way to maintain state.
-- ---John Holmes...
Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/
PHP|Architect: A magazine for PHP Professionals – www.phparch.com
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
