The idea of building a website is largely to accommodate as large a portion of your visitors as possible. I'm not worried about people bookmarking sessionID's, but what if someone copy/pastes the URL to a friend and they use the section. My friend gave me an excellent idea, and that is to check their IP and store the IP in the session. If the IP doesn't match, then start a new session. This would be perfect, because there's a double check. If someone disconnects to the internet but never closes their browser, I don't think they should be allowed to continue their session anyway, they should be required to login again.
-----Original Message----- From: Nick Wilson [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 23, 2002 3:35 AM To: [EMAIL PROTECTED] Subject: Re: [PHP] Need opinion On sessions - Cookies mandatory? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 * and then Jason G. blurted.... > If cookies do not work, then you must have a session_id appended to the > URL. HTTP is a "stateless" protocol. So every time you make a request via > HTTP, you must let PHP know what the session_id is either through cookies, > or url query strings (or possibly posted with a form). Yep, now I'm with you. The amount of times you'd see that kind of ugly URL would be fairly minimal in most situations as most users these days aren't even aware they *can* disable cookies. > >> disable cookies, but appending the session ID could be a security risk. > >> Consider this: Someone is viewing a page and says "oh cool, I want Joe > >> to see this". He then copy/pastes the URL, sessionID and all, to Joe, > >> who then loads up the page using his friend's SessionID. With cookies, > >> this would not happen. > > > >Not a problem. The session is *destroyed* as soon as a user closes the > >browser. > > A session will only be *destroyed* if it uses a cookie. PHP never knows > when you close the browser, but the browser will remove the cookie. Next > time you fire up the browser, it will not send the cookie, and a different > session will be started. Sure. But there is some kind of clean on the host machine right? You couldn't expect to continue a session a week later because you've bookmarked a URL containind a SID. I think this is controlled by something like a timeout var in the php.ini. > In my personal experience, using cookies only has not proven to be a > problem. Your call. When you say using cookies only do you mean 'requiring' the user to have cookies enabled? - -- Nick Wilson Tel: +45 3325 0688 Fax: +45 3325 0677 Web: www.explodingnet.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) iD8DBQE8TnW3HpvrrTa6L5oRAthOAJ0WOpUWC5fFMokhYF2QsaQaQolp+wCfQWHL 03BrqRN2kLf+VWC/tzDSHho= =Gek0 -----END PGP SIGNATURE----- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
