You can pass the session ID in a form, too. Just use POST, and make it a hidden element passed to the next page.
<input type="hidden" name="PHPSESSID" value="<?=$PHPSESSID?>"> It's no different than passing it in the URL. I hope you're not thinking that it's more secure by doing it this way. Either way the data is coming from the user and it can't be trusted and it can be modified. I don't know what this phobia is about passing something in the URL... ---John Holmes... > -----Original Message----- > From: David T-G [mailto:[EMAIL PROTECTED]] > Sent: Sunday, October 06, 2002 9:33 PM > To: PHP General list > Cc: Justin French > Subject: Re: [PHP] sessions without cookies *or* URLs > > Justin, et al -- > > ...and then Justin French said... > % > % I think you're under a little misconception about how sessions are used. > > Perhaps. I'm new to them :-) > > > % Maintaining a session is simply just having a unique identifier for each > % "user", so that the server can recognise the user from page to page, > % maintaining state. > > Right. And since it can recognize the user, it can store all sorts of > things for him, like the fact that he's been authenticated and what > function he did last and so on. Right? > > > % > % Typically this is done by passing a session id around in he URL or > cookies > % or POSTing forms. A session ID is typically a long unique number -- > that's > % it. > > Right. But it's the "in the URL or cookies" that's a problem for me. > > > % > % > % What you then do associate or register data TO that Session ID... this > data > % is stored on the SERVER, and NOT passed around in the URL. > > I understand enough that the data itself isn't in the URL, and that's > good (because some of these page comments get long!). > > > % > % > % So you pass around PHPSESSID=198235021612423 in the url or a cookie, and > % assign data to that session... all of which is stored server side. > > Are those the only ways that I can pass it around? Is there anything > else? [Note that I've come to the conclusion that they are and there > isn't except perhaps a POST form, but I'd love to be pleasantly > surprised.] > > > % > % The session with the id 198235021612423 may have a username, password, > shoe > % size, favourite colour, etc etc all attached to it, done with either: > > Good deal; that's what I like. > > > % > % $_SESSION['shoesize'] = "14"; // new register globals OFF method > % > % or > % > % $shoesize = "14"; > % session_register("shoesize"); // old method > > Right. > > > % > % > % Therefor, I can see no need for anything other than the session ID to be > % passed around in the URL. > % > % Hope this clears it up! > > It's a start; it confirms some of what I think I understand about > sessions. Now if only I can get the session ID out of the URL without > using any cookies... Any ideas, anyone? > > > % > % > % Justin French > > > TIA & HAND > > :-D > -- > David T-G * It's easier to fight for one's principles > (play) [EMAIL PROTECTED] * than to live up to them. -- fortune > cookie > (work) [EMAIL PROTECTED] > http://www.justpickone.org/davidtg/ Shpx gur Pbzzhavpngvbaf Qrprapl > Npg! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
