At 02:18 15.11.2002, Jochen Kächelin said:
--------------------[snip]--------------------
>How can I process $_SESSION variables if the user disables cookies
>and session.use_trans_sid = 0 ?
--------------------[snip]--------------------
Simply put - you can't.
You need a way to transmit the session identifier, and AFAIK there's
nothing except either cookies or SID.
Using SID for security relevant issues presents a problem - users can send
links with a SID to friends by mail or else, so this is not really a secure
solution. However there are numerous application parts where no security is
involved, and sessions are just used to construct a site - it's unnecessary
IMHO to avoid SID use here.
On our server we have disabled session cookies in general, as a courtesy to
our users. However when logged in we require a user to accept a cookie. The
value of this cookie is randomly generated (something like "md5(rand())"),
and changes with every "click". This value (we call it a "login token" is
also stored in session data to verify the cookie against the session. If no
user token, or a wrong token, is transmitted, we assume a "hijacked"
session and automatically logout the user. (there's more to it, but
basically you get the idea)
--
>O Ernest E. Vogelsinger
(\) ICQ #13394035
^ http://www.vogelsinger.at/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
