> Well the cookie is set at the start of the PHP file that gets referenced
> each time. I'm not setting any manual cookies just using the
> default session
> cookie set by PHP. Below is all the code I use for the session. Formatting
> is kind of goofed up in e-mail but it's there. So even though the
> cookie is
> placed in the client's browser it's not used/session is not used or
> recognized until you refresh/reload or go to another page??
That's correct, although the cookie will remain resident it requires an
inital page change/refresh. However after looking at your code I'm not
convinced that is the problem since the first page of a session creation
should still be usable with the session as the session ID is still resident
in memory. Have you tried running the page w/o the use of session_name()?
Also as an FYI $REMOTE_USER is an unsecure variable to use for checking
authentication. Basically because a url parameter will overwrite the
original $REMOTE_USER.
Example say I log into : www.foobar.com/members/index.php with the username
of apollo.
Typically the script would consider $REMOTE_USER = 'Apollo'
However if I changed the link to
www.foobar.com/members/index.php?REMOTE_USER=admin
Now I still have access via basic authentication but now PHP considered
$REMOTE_USER = 'admin' ...or any other username for that matter.
To avoid this at the beginning of the page make sure you force $REMOTE_USER
to equal the apache authentication username
easiest method (for me anyways) is:
$REMOTE_USER = getenv('REMOTE_USER');
Sincerely,
Craig Vincent
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
