At 08:02 22.11.2002, Jean-Christian Imbeault said:
--------------------[snip]--------------------
>Is it because I am putting the SID in the URL? I haven't tested with
>cookies yet as I want to get my site working without cookies first.
Definetely yes.
The PHP session is (with the default setup) nuthing more than a hash that's
used to construct a file name. So the session ID
"0ee410a57762be937d6d277b4ff642c8" will render the filename
"/tmp/sess_0ee410a57762be937d6d277b4ff642c8" which will subsequently used
by PHP as the session storage.
>> Adding a logout feature will help people who are worried about security,
>> because it can kill the cookies on the browser.
>
>I agree! The problem I have now is that a user can bookmark a page with
>the SID in the URL and then come back later and the session is still
>active ... the session should close when the browser is closed.
You cannot really control if the user is logging out or not - I saw a
"solution" once where they had a JavaScript for "onUnload" where they
warned the user that the next time he should log out - I believe the actual
action was to use the onUnload handler to redirect the browser to the
logout screen. However this wouldn't work if the user has JavaScript
switched off.
What I usually do (I also have session cookies switched off) is to send the
user a session cookie when he logs in. This way I can use cookieless
sessions, but when it comes to sensitive areas I can be sure that
bookmarking or giving away the SID wouldn't automatically transfer the
login session...
>I have set session.auto_start = 1 so I would think that after closing
>the browser and going to the bookmarked paged a new session would be
>started, killing the SID passed in from the URL no?
I always recomment NOT using session.auto_start. It effectively disables
making objects session-persistent as any class file needed for the objects
must be loaded BEFORE objects gets reconstructed.
When the browser requests an URL with a SID you have no control if this
stems from a link or from a bookmark (maybe you could go and analyze
$_SERVER['HTTP_REFERER'], but not all browsers tranmit it. What you can do
is to have a timestamp of the last access recorded in your session so you
can always check against your own timeout requirements.
Personally I believe it's a good thing not to enable automatic session
cookies. Relying on a session cookie effectively disables having two
browser windows open with the same application but running in different
contexts, since both would transmit the same session cookie.
--
>O Ernest E. Vogelsinger
(\) ICQ #13394035
^ http://www.vogelsinger.at/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
