Hi Justin, I hear what you're saying about refusing people without cookies turned off, and I really tried to make it work on my site, but, keep running into lots of problems. I do have enable-trans-sid turned on, but, get inconsistent results. For example, when someone logs out I return them to the log-in page. Even though I've deleted all sessions vars and destroyed the session before redirecting them, I noticed that the login page is full of PHPSESSID= tags that are sometimes empty and sometimes filled with a session ID. This happens whether or not I use session_start() at the beginning of my login script. As a result, it totally screws up the log-in process. I was seeing instances where it was appending two different PHPSESSIDs to the URL!
And then there are things like header redirects (which you had a good solution for) and javascript popups. Those are ignored by enable-trans-sid, so, it means I have to go through all my scripts (there are many) and tweak them to pass the SID to every URL. The reason I decided against doing all this tweaking was because while researching this online, I read many statements by developers saying that passing Session IDs via the URL is more of a security risk than allowing this to be done via cookies. As the site I'm working on will be a pay membership site, it seems like a good idea to require cookies. I realize I may be turning people away, which would also be the case for those using ancient browsers. But, I don't have the level of programming expertise or resources of companies like Amazon and MSN who probably have very robust security systems in place even though they are passing sessions via the URL. I do appreciate your comments and insight on this, it makes me keep thinking: should I? could I? I'd be interested in hearing how others have dealt with requiring users to have cookies turned on for sessions, or not. Monty > From: [EMAIL PROTECTED] (Justin French) > Newsgroups: php.general > Date: Wed, 04 Jun 2003 19:23:11 +1100 > To: Monty <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> > Subject: Re: [PHP] Gracefully dealing with Cookies OFF > > Why on earth would you refuse users without cookies?? Take a look at all > the major websites (amazon & msn for starters). > > Do they require cookies? No. > Do they require JavaScript? No. > Do they require anything else special on the site? No. > > They take advantage of technology where available (DHTML and CSS for > example), but the basic guts of the site can function without any of it, to > the best of my knowledge. > > Instead, you choose to defy what every major site is doing, and require > cookies. > > Cookies are not available to a wide number of users: > > - those in corporations where the IT dept. has disabled them > - those accessing the 'net from any public computer: > - libraries > - airports > - internet cafe's > - those who choose to have a more secure, private web experience > - those who don't understand the technology > > > Doesn't make sense to me at all, but as long as you properly inform the > client of your choice to ignore a large portion of users, then I guess it's > your (and their) choice. > > > PHP actually has a nice degradation of sessions built in. If you compile > PHP with enable-trans-sid (compiled by default on PHP >= 4.3 I *think*), PHP > will: > > 1. use cookies wherever possible, OR > > 2. rewrite* all relative URLs/links in your pages to include the session > id, where cookies are not available > > * in practice, it doesn't handle javascript or other client side scripting > that well from memory. > > > Even with enable-trans-sid not compiled, you can manually append the session > id to all your URLs with the pre defined constant SID. > > > This is just my point of view, but I don't believe you have any excuse for > not allowing non-cookie users to join in the fun, and CERTAINLY not without > informing the client of your decision. > > > To manually test for cookies, know that you're testing, then let the user > know that you don't want their business/traffic is more work than just > letting PHP handle it with enable-trans-sid. > > > Justin French > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
