Re: [PHP] session id

2008-02-25 Thread Daniel Brown 
On Mon, Feb 25, 2008 at 5:51 PM, Ɓukasz Wojciechowski
<[EMAIL PROTECTED]> wrote:
> Hi, I'm using SWFUpload JavaScript for my upload in my logged part of
>  website. I'm passing session_id in every post request from flash
>  object. In my script I set forwarded id with
>  session_id($_POST['passed_id']) but I got logout on that request (it's
>  redirecting me to login page) and I'm also logged out in my browser
>  (not flash). Then I need to relog. Everything is working fine when I'm
>  not touching session_id() id setting. Any clues?

Try this instead:



As always, BE SURE TO SANITIZE YOUR CODE!

-- 


Daniel P. Brown
Senior Unix Geek

Re: [PHP] session id contains illegal characters

2006-10-27 Thread Richard Lynch 
On Thu, October 26, 2006 6:19 pm, Patrick Aljord wrote:
> $_SESSION['user_id']=$user_id;
> $_SESSION['user_login']=$user_login;
> $_SESSION['user_pass']=$user_pass;
> $_SESSION['user_level']=$user_level;
> $_SESSION['session_bool']="true";
> $sessionid = session_id();

echo "The sessionid sent to me is: $sessionid\n";

> $_SESSION['session_id']= $sessionid;
> $user_real_id=$_SESSION['user_id'];
> $user_real_login=$_SESSION['user_login'];
>
> $realsessionid = $_SESSION['session_id'];
>
> any idea what's wrong?

Whatever you've been cramming into session_id(), you shouldn't have
done that.

A username should be ENCOURAGED to have at least one non-alphanumeric
character.

session_id()s are NOT ALLOWED to have any non-alphanumeric characters.

-- 
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some starving artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] session id contains illegal characters

2006-10-27 Thread Dave Goodchild 

Also, why are you assigning the result of session_id() into a variable that
is then passed into $_SESSION. Seems overcomplex and redundant - why not
just call session_id() when you need it? Just a thought.

Re: [PHP] session id contains illegal characters

2006-10-27 Thread Patrick Aljord 

On 10/27/06, Chris Shiflett <[EMAIL PROTECTED]> wrote:

Patrick Aljord wrote:
> I'm moving my page from php4 to php5 and I get this error:
> Warning: Unknown: The session id contains illegal characters,
> valid characters are a-z, A-Z, 0-9 and '-,' in Unknown on
> line 0

Can you check to see what session identifier the browser is sending when
you get this error message?

how can I check the session identifier the borwser is sending?

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] session id contains illegal characters

2006-10-27 Thread Chris Shiflett 
Patrick Aljord wrote:
> I'm moving my page from php4 to php5 and I get this error:
> Warning: Unknown: The session id contains illegal characters,
> valid characters are a-z, A-Z, 0-9 and '-,' in Unknown on
> line 0

Can you check to see what session identifier the browser is sending when
you get this error message? PHP's session identifiers should only
contain hexadecimal characters (a subset of alphanumerics).

This check was added to protect against people trying to use the session
identifier as an attack vector, sending a malicious payload instead of a
real session identifier.

Hope that helps.

Chris

-- 
Chris Shiflett
http://shiflett.org/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Session ID in query string

2005-01-04 Thread M. Sokolewicz 
Richard Lynch wrote:
Sandy Keathley wrote:
Using PHP 4.3.9, we have these settings:
session.use_cookies = 1
session.use_only_cookies = 1
session.use_trans_sid = 0
(verified by a display of phpinfo() )
with the goal of preventing URLs with session IDs appended.  That
works fine, but when a page is validated by W3C, it throws an error,
and indicates that a link on the page (which contains a query string),
also contains the session ID.  If I click the link, it doesn't show the
session ID, but W3C can see it.

W3C can't see anything you can't see with "View Source" in your browser.
So is the session ID there or not?...
W3C claims it is: You claim it isn't.
One of you has to be wrong. :-)
Your PHP code could easily be creating a URL with the session ID in it.
Or W3C could be incorrectly interpreting your HTML.
if you're using a decent browser, try turning OFF cookies and reloading 
the same page. Then make sure that the link REALLY doesn't contain the sid

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Session ID in query string

2005-01-04 Thread Richard Lynch 
Sandy Keathley wrote:
> Using PHP 4.3.9, we have these settings:
>
> session.use_cookies = 1
> session.use_only_cookies = 1
> session.use_trans_sid = 0
>
> (verified by a display of phpinfo() )
>
> with the goal of preventing URLs with session IDs appended.  That
> works fine, but when a page is validated by W3C, it throws an error,
> and indicates that a link on the page (which contains a query string),
> also contains the session ID.  If I click the link, it doesn't show the
> session ID, but W3C can see it.

W3C can't see anything you can't see with "View Source" in your browser.

So is the session ID there or not?...

W3C claims it is: You claim it isn't.

One of you has to be wrong. :-)

Your PHP code could easily be creating a URL with the session ID in it.

Or W3C could be incorrectly interpreting your HTML.

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] session id changing all the time on some pc's

2004-07-03 Thread Torsten Roehr 
"Torsten Roehr" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> "Zilvinas Saltys" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]
> > On Fri, 2 Jul 2004 22:45:23 +
> > Curt Zirzow <[EMAIL PROTECTED]> wrote:
> >
> > > * Thus wrote Torsten Roehr:
> > > > "Zilvinas Saltys" <[EMAIL PROTECTED]> wrote in message
> > > > news:[EMAIL PROTECTED]
> > > > >
> > > > > The only thing i want to know is all the truth about IE (6?) and
> cookies
> > > > :)
> > > > >
> > > > > Heeelp :)
> > > >
> > > > Sorry to say that but just DO NOT use cookies. You will always have
> problems
> > > > with users having weird cookie settings in their browser. Cookies
are
> fine
> > > > for intranets where you know the infrastructure you are dealing
with.
> > > > Passing the session id via GET/POST may be ugly but makes you
> independent of
> > > > the browser's cookie settings.
> > >
> > > I would strongly discourage trans_id with sessions that contain
> > > sensitive data.
> >
> > Yes it does contain sensitive data.. And those people cant work with
that
> data because of IE...
> > Those people have to travel from place to place. They can't use mozilla
> everywhere or change the IE settings or even to turn the zone alarm off...
> >
> > So what are your suggestions? Using trans sid is the only solution as i
> see now.. No matter how unsafe it is.. Or it looks or works ugly..
> >
> > That is the problem :)
>
> Use SSL and if possible a Virtual Private Network (VPN). You can also call
> session_regenerate_id() after successful login:
> http://de.php.net/session_regenerate_id
>
> This adds a bit of additional security because the session id that might
be
> public before the login will not be of any use to a potential attackerb
> because it will change after login.
>
> Don't use session.use_trans_sid = 1 because it won't work with form
actions
> and some other elements. I recommend manually adding the session id to all
> your links, form actions and header(location) calls.
>
> Hope this helps a bit.
>
> Regards, Torsten

One more thing. Store the user's browser id ($_SERVER['HTTP_USER_AGENT'])
and/or his IP into the session and on each request compare the stored values
to the current submitted values.

Regards, Torsten

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] session id changing all the time on some pc's

2004-07-03 Thread Torsten Roehr 
"Matthew Sims" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> > No, this is exactly what I wanted to know. But it would contradict
> > everything I experienced with sessions until now - and it does. I just
> > tested your code (with session_start() also at the top of page2). It
does
> > not work because there is absolutely no relation between page1 and page2
> > with your code. In this case a new session is being started on page two.
> >
> > You have got to pass the session id from one page to another (when not
> > using
> > a cookie) otherwise it won't work and rightly so.
>
> Ah, you are so correct. My apologies. Without cookies turned on then the
> session id is different with each page. Bleh.
>
> Okay...so...ignore all that I said. :)
>
> So I guess $_GET is the only option...that sucks.
>
> Sorry dude.

Hi Matthew,

there's no reason to apaologize. I would have loved to see a non-cookie
solution with transparent session id use.

Regards, Torsten

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] session id changing all the time on some pc's

2004-07-03 Thread Torsten Roehr 
"Zilvinas Saltys" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> On Fri, 2 Jul 2004 22:45:23 +
> Curt Zirzow <[EMAIL PROTECTED]> wrote:
>
> > * Thus wrote Torsten Roehr:
> > > "Zilvinas Saltys" <[EMAIL PROTECTED]> wrote in message
> > > news:[EMAIL PROTECTED]
> > > >
> > > > The only thing i want to know is all the truth about IE (6?) and
cookies
> > > :)
> > > >
> > > > Heeelp :)
> > >
> > > Sorry to say that but just DO NOT use cookies. You will always have
problems
> > > with users having weird cookie settings in their browser. Cookies are
fine
> > > for intranets where you know the infrastructure you are dealing with.
> > > Passing the session id via GET/POST may be ugly but makes you
independent of
> > > the browser's cookie settings.
> >
> > I would strongly discourage trans_id with sessions that contain
> > sensitive data.
>
> Yes it does contain sensitive data.. And those people cant work with that
data because of IE...
> Those people have to travel from place to place. They can't use mozilla
everywhere or change the IE settings or even to turn the zone alarm off...
>
> So what are your suggestions? Using trans sid is the only solution as i
see now.. No matter how unsafe it is.. Or it looks or works ugly..
>
> That is the problem :)

Use SSL and if possible a Virtual Private Network (VPN). You can also call
session_regenerate_id() after successful login:
http://de.php.net/session_regenerate_id

This adds a bit of additional security because the session id that might be
public before the login will not be of any use to a potential attackerb
because it will change after login.

Don't use session.use_trans_sid = 1 because it won't work with form actions
and some other elements. I recommend manually adding the session id to all
your links, form actions and header(location) calls.

Hope this helps a bit.

Regards, Torsten

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] session id changing all the time on some pc's

2004-07-02 Thread Zilvinas Saltys 
On Fri, 2 Jul 2004 22:45:23 +
Curt Zirzow <[EMAIL PROTECTED]> wrote:

> * Thus wrote Torsten Roehr:
> > "Zilvinas Saltys" <[EMAIL PROTECTED]> wrote in message
> > news:[EMAIL PROTECTED]
> > >
> > > The only thing i want to know is all the truth about IE (6?) and cookies
> > :)
> > >
> > > Heeelp :)
> > 
> > Sorry to say that but just DO NOT use cookies. You will always have problems
> > with users having weird cookie settings in their browser. Cookies are fine
> > for intranets where you know the infrastructure you are dealing with.
> > Passing the session id via GET/POST may be ugly but makes you independent of
> > the browser's cookie settings.
> 
> I would strongly discourage trans_id with sessions that contain
> sensitive data.

Yes it does contain sensitive data.. And those people cant work with that data because 
of IE...
Those people have to travel from place to place. They can't use mozilla everywhere or 
change the IE settings or even to turn the zone alarm off...

So what are your suggestions? Using trans sid is the only solution as i see now.. No 
matter how unsafe it is.. Or it looks or works ugly..

That is the problem :)

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] session id changing all the time on some pc's

2004-07-02 Thread Curt Zirzow 
* Thus wrote Torsten Roehr:
> "Zilvinas Saltys" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]
> >
> > The only thing i want to know is all the truth about IE (6?) and cookies
> :)
> >
> > Heeelp :)
> 
> Sorry to say that but just DO NOT use cookies. You will always have problems
> with users having weird cookie settings in their browser. Cookies are fine
> for intranets where you know the infrastructure you are dealing with.
> Passing the session id via GET/POST may be ugly but makes you independent of
> the browser's cookie settings.

I would strongly discourage trans_id with sessions that contain
sensitive data.

Curt
-- 
First, let me assure you that this is not one of those shady pyramid schemes
you've been hearing about.  No, sir.  Our model is the trapezoid!

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] session id changing all the time on some pc's

2004-07-02 Thread Matthew Sims 
> No, this is exactly what I wanted to know. But it would contradict
> everything I experienced with sessions until now - and it does. I just
> tested your code (with session_start() also at the top of page2). It does
> not work because there is absolutely no relation between page1 and page2
> with your code. In this case a new session is being started on page two.
>
> You have got to pass the session id from one page to another (when not
> using
> a cookie) otherwise it won't work and rightly so.

Ah, you are so correct. My apologies. Without cookies turned on then the
session id is different with each page. Bleh.

Okay...so...ignore all that I said. :)

So I guess $_GET is the only option...that sucks.

Sorry dude.

--Matthew Sims
--

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] session id changing all the time on some pc's

2004-07-02 Thread Torsten Roehr 
"Matthew Sims" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> >> The $_SESSION['sid'] will follow from page to page. As long as the user
> stays in the current session, all $_SESSION variables will follow from
> page to page as long as session_start() is used.
> >
> > OK, but HOW do you manage that the user stays in the current session.
> Usually this is made sure by passing the session id around. But
> obviously
> > you are not doing this, are you?
> >
> > Torsten
> >
>
> As long as the user keeps his browser pointing at your site, then they'll
> stay in the currect session. The moment they shut down the web browser,
> the session is lost.

This does only work *with* using a cookie.

>
> When the user first comes to your site, assign the session_id to a
> $_SESSION variable. Then as the user jumps from page to page, check the
> $_SESSION variable with the session_id on that page.
>
> Try this, on the front page:
>
> session_start();
> $_SESSOIN['sid']=session_id();
>
> On another page:
>
> if ($_SESSION['sid']==session_id()) {
>   continue browsing;
> } else {
>   redirect to front page;
> }
>
> or however you want it to be. The above isn't tested. Not sure if
> session_id needs to be assigned to a variable.
>
> Is this what you're referring to or am I just misreading what you're
asking?

No, this is exactly what I wanted to know. But it would contradict
everything I experienced with sessions until now - and it does. I just
tested your code (with session_start() also at the top of page2). It does
not work because there is absolutely no relation between page1 and page2
with your code. In this case a new session is being started on page two.

You have got to pass the session id from one page to another (when not using
a cookie) otherwise it won't work and rightly so.

Maybe your memory played a trick on you ;) Don't mind.

Regards, Torsten

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] session id changing all the time on some pc's

2004-07-02 Thread Gerard Samuel 
On Friday 02 July 2004 04:38 pm, Matthew Sims wrote:
> As long as the user keeps his browser pointing at your site, then they'll
> stay in the currect session. The moment they shut down the web browser,
> the session is lost.
>

The logic doesnt compute with me.  I guess I'll have to try this myself...

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] session id changing all the time on some pc's

2004-07-02 Thread Matthew Sims 
>> The $_SESSION['sid'] will follow from page to page. As long as the user
stays in the current session, all $_SESSION variables will follow from
page to page as long as session_start() is used.
>
> OK, but HOW do you manage that the user stays in the current session.
Usually this is made sure by passing the session id around. But
obviously
> you are not doing this, are you?
>
> Torsten
>

As long as the user keeps his browser pointing at your site, then they'll
stay in the currect session. The moment they shut down the web browser,
the session is lost.

When the user first comes to your site, assign the session_id to a
$_SESSION variable. Then as the user jumps from page to page, check the
$_SESSION variable with the session_id on that page.

Try this, on the front page:

session_start();
$_SESSOIN['sid']=session_id();

On another page:

if ($_SESSION['sid']==session_id()) {
  continue browsing;
} else {
  redirect to front page;
}

or however you want it to be. The above isn't tested. Not sure if
session_id needs to be assigned to a variable.

Is this what you're referring to or am I just misreading what you're asking?

--Matthew Sims
--

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] session id changing all the time on some pc's

2004-07-02 Thread Torsten Roehr 
"Matthew Sims" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> > "Matthew Sims" <[EMAIL PROTECTED]> wrote in message
> > news:[EMAIL PROTECTED]
> >>
> >> >> Instead of passing the session_id through the URL ($_GET) just
assign
> > it
> >> >> to $_SESSION and pass that around. Then it'll stay transparent to
the
> >> >> user.
> >> >
> >> > Could you describe the last paragraph a bit more in detail? Thanks in
> >> > advance!
> >> >
> >> > Torsten
> >>
> >> What if you used this?
> >>
> >> session_start();
> >> $_SESSION['sid']=session_id($HTTP_GET_VARS['sid']);
> >>
> >> Now as long as each of your pages has session_start() at the top, you
> >> can
> >> use $_SESSION['sid'] whereever.
> >>
> >> To the mailing list: Am I doing this correctly?
> >
> > But somehow you have to pass the session id from page to page!?!
> >
> > By the way, the session id is always available as the constant SID.
> >
> > Torsten
>
> The $_SESSION['sid'] will follow from page to page. As long as the user
> stays in the current session, all $_SESSION variables will follow from
> page to page as long as session_start() is used.

OK, but HOW do you manage that the user stays in the current session.
Usually this is made sure by passing the session id around. But obviously
you are not doing this, are you?

Torsten

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] session id changing all the time on some pc's

2004-07-02 Thread Matthew Sims 
> "Matthew Sims" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]
>>
>> >> Instead of passing the session_id through the URL ($_GET) just assign
> it
>> >> to $_SESSION and pass that around. Then it'll stay transparent to the
>> >> user.
>> >
>> > Could you describe the last paragraph a bit more in detail? Thanks in
>> > advance!
>> >
>> > Torsten
>>
>> What if you used this?
>>
>> session_start();
>> $_SESSION['sid']=session_id($HTTP_GET_VARS['sid']);
>>
>> Now as long as each of your pages has session_start() at the top, you
>> can
>> use $_SESSION['sid'] whereever.
>>
>> To the mailing list: Am I doing this correctly?
>
> But somehow you have to pass the session id from page to page!?!
>
> By the way, the session id is always available as the constant SID.
>
> Torsten

The $_SESSION['sid'] will follow from page to page. As long as the user
stays in the current session, all $_SESSION variables will follow from
page to page as long as session_start() is used.

--Matthew Sims
--


>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] session id changing all the time on some pc's

2004-07-02 Thread Torsten Roehr 
"Matthew Sims" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
>
> >> Instead of passing the session_id through the URL ($_GET) just assign
it
> >> to $_SESSION and pass that around. Then it'll stay transparent to the
> >> user.
> >
> > Could you describe the last paragraph a bit more in detail? Thanks in
> > advance!
> >
> > Torsten
>
> What if you used this?
>
> session_start();
> $_SESSION['sid']=session_id($HTTP_GET_VARS['sid']);
>
> Now as long as each of your pages has session_start() at the top, you can
> use $_SESSION['sid'] whereever.
>
> To the mailing list: Am I doing this correctly?

But somehow you have to pass the session id from page to page!?!

By the way, the session id is always available as the constant SID.

Torsten

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] session id changing all the time on some pc's

2004-07-02 Thread Gerard Samuel 
On Friday 02 July 2004 02:13 pm, Torsten Roehr wrote:
> Passing the session id via GET/POST may be ugly but makes you independent
> of the browser's cookie settings.

I would have to agree...

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] session id changing all the time on some pc's

2004-07-02 Thread Matthew Sims 

>> Instead of passing the session_id through the URL ($_GET) just assign it
>> to $_SESSION and pass that around. Then it'll stay transparent to the
>> user.
>
> Could you describe the last paragraph a bit more in detail? Thanks in
> advance!
>
> Torsten

What if you used this?

session_start();
$_SESSION['sid']=session_id($HTTP_GET_VARS['sid']);

Now as long as each of your pages has session_start() at the top, you can
use $_SESSION['sid'] whereever.

To the mailing list: Am I doing this correctly?

--Matthew Sims
--


>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] session id changing all the time on some pc's

2004-07-02 Thread Torsten Roehr 
"Matthew Sims" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
>
>
>
> > "Zilvinas Saltys" <[EMAIL PROTECTED]> wrote in message
> > news:[EMAIL PROTECTED]
> >> On Fri, 2 Jul 2004 12:21:34 -0400
> >> Gerard Samuel <[EMAIL PROTECTED]> wrote:
> >>
> >> > On Friday 02 July 2004 12:12 pm, Zilvinas Saltys wrote:
> >> > > I looked at server configurations but i couldn't find anything
> > usefull. I
> >> > > tried to change IE settings to accept all cookies but nothing
> >> changed.
> >> > >
> >> > > Maybe someone knows where's the problem..
> >> >
> >> > I dont know of all the specifics of your situation, but I know when
it
> >> > happened to my code, it boiled down to a cookie problem.  (I never
> >> > experienced it first hand unless I turned off cookies in my own
> >> browser.
> > I
> >> > saw it was happening for other users on my code).
> >> > So what I eventually did, was modified my code to work with browsers
> > that do
> >> > not store cookies (for what ever reason that may be).
> >> > By that I mean to pass the session id in the url and in forms...
> >>
> >> I know i can pass the session id by url.. But this solution is ugly and
> > hopefully not the only one there is..
> >> The problem is as i understand IE is not accepting the cookie. So the
> > session id allways regenerates. Everything works fine with mozilla.
> >>
> >> The strangest part of the show is some pc's that have IE installed
> >> accepts
> > those cookies. I turned 'accept ALL cookies'. Same result..
> >>
> >> Maybe ... this could be a domain problem..
> >>
> >> The only thing i want to know is all the truth about IE (6?) and
cookies
> > :)
> >>
> >> Heeelp :)
> >
> > Sorry to say that but just DO NOT use cookies. You will always have
> > problems
> > with users having weird cookie settings in their browser. Cookies are
fine
> > for intranets where you know the infrastructure you are dealing with.
> > Passing the session id via GET/POST may be ugly but makes you
independent
> > of
> > the browser's cookie settings.
> >
> > Regards, Torsten Roehr
>
> I can agree with this. I created an internal website for my company that
> requires login. And even then some users a restricted to certain areas of
> the website depending on their user level. Passing the $_SESSION variables
> around was just plain easier than setting up cookies. I also felt I had a
> greater control over the whole process from login to logout.
>
> Instead of passing the session_id through the URL ($_GET) just assign it
> to $_SESSION and pass that around. Then it'll stay transparent to the
> user.

Could you describe the last paragraph a bit more in detail? Thanks in
advance!

Torsten

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] session id changing all the time on some pc's

2004-07-02 Thread Matthew Sims 



> "Zilvinas Saltys" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]
>> On Fri, 2 Jul 2004 12:21:34 -0400
>> Gerard Samuel <[EMAIL PROTECTED]> wrote:
>>
>> > On Friday 02 July 2004 12:12 pm, Zilvinas Saltys wrote:
>> > > I looked at server configurations but i couldn't find anything
> usefull. I
>> > > tried to change IE settings to accept all cookies but nothing
>> changed.
>> > >
>> > > Maybe someone knows where's the problem..
>> >
>> > I dont know of all the specifics of your situation, but I know when it
>> > happened to my code, it boiled down to a cookie problem.  (I never
>> > experienced it first hand unless I turned off cookies in my own
>> browser.
> I
>> > saw it was happening for other users on my code).
>> > So what I eventually did, was modified my code to work with browsers
> that do
>> > not store cookies (for what ever reason that may be).
>> > By that I mean to pass the session id in the url and in forms...
>>
>> I know i can pass the session id by url.. But this solution is ugly and
> hopefully not the only one there is..
>> The problem is as i understand IE is not accepting the cookie. So the
> session id allways regenerates. Everything works fine with mozilla.
>>
>> The strangest part of the show is some pc's that have IE installed
>> accepts
> those cookies. I turned 'accept ALL cookies'. Same result..
>>
>> Maybe ... this could be a domain problem..
>>
>> The only thing i want to know is all the truth about IE (6?) and cookies
> :)
>>
>> Heeelp :)
>
> Sorry to say that but just DO NOT use cookies. You will always have
> problems
> with users having weird cookie settings in their browser. Cookies are fine
> for intranets where you know the infrastructure you are dealing with.
> Passing the session id via GET/POST may be ugly but makes you independent
> of
> the browser's cookie settings.
>
> Regards, Torsten Roehr

I can agree with this. I created an internal website for my company that
requires login. And even then some users a restricted to certain areas of
the website depending on their user level. Passing the $_SESSION variables
around was just plain easier than setting up cookies. I also felt I had a
greater control over the whole process from login to logout.

Instead of passing the session_id through the URL ($_GET) just assign it
to $_SESSION and pass that around. Then it'll stay transparent to the
user.

--Matthew Sims
--

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] session id changing all the time on some pc's

2004-07-02 Thread Michael Sims 
Zilvinas Saltys wrote:
> The problem is as i understand IE is not accepting the cookie. So the
> session id allways regenerates. Everything works fine with mozilla.
[...]
> The only thing i want to know is all the truth about IE (6?) and
> cookies :)

Could it be a problem with IE6 and P3P (http://www.w3.org/P3P/)?

This is just hearsay, but a friend of mine told me about a problem he was having
with IE6 and cookies in his application.  He had to send a P3P header before some
versions of IE would accept the cookie.  I've read that P3P only applies to
persistant cookies, but his was temporary and was still not working until he added
this:

header('P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"');

I have no first hand experience with this myself, and I haven't done the proper
research to become familiar with it.  Make of this what you will. :)  More
information here:

http://www.computercops.biz/modules.php?name=News&file=print&sid=837

HTH

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] session id changing all the time on some pc's

2004-07-02 Thread Torsten Roehr 
"Zilvinas Saltys" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> On Fri, 2 Jul 2004 12:21:34 -0400
> Gerard Samuel <[EMAIL PROTECTED]> wrote:
>
> > On Friday 02 July 2004 12:12 pm, Zilvinas Saltys wrote:
> > > I looked at server configurations but i couldn't find anything
usefull. I
> > > tried to change IE settings to accept all cookies but nothing changed.
> > >
> > > Maybe someone knows where's the problem..
> >
> > I dont know of all the specifics of your situation, but I know when it
> > happened to my code, it boiled down to a cookie problem.  (I never
> > experienced it first hand unless I turned off cookies in my own browser.
I
> > saw it was happening for other users on my code).
> > So what I eventually did, was modified my code to work with browsers
that do
> > not store cookies (for what ever reason that may be).
> > By that I mean to pass the session id in the url and in forms...
>
> I know i can pass the session id by url.. But this solution is ugly and
hopefully not the only one there is..
> The problem is as i understand IE is not accepting the cookie. So the
session id allways regenerates. Everything works fine with mozilla.
>
> The strangest part of the show is some pc's that have IE installed accepts
those cookies. I turned 'accept ALL cookies'. Same result..
>
> Maybe ... this could be a domain problem..
>
> The only thing i want to know is all the truth about IE (6?) and cookies
:)
>
> Heeelp :)

Sorry to say that but just DO NOT use cookies. You will always have problems
with users having weird cookie settings in their browser. Cookies are fine
for intranets where you know the infrastructure you are dealing with.
Passing the session id via GET/POST may be ugly but makes you independent of
the browser's cookie settings.

Regards, Torsten Roehr

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] session id changing all the time on some pc's

2004-07-02 Thread Zilvinas Saltys 
On Fri, 2 Jul 2004 12:21:34 -0400
Gerard Samuel <[EMAIL PROTECTED]> wrote:

> On Friday 02 July 2004 12:12 pm, Zilvinas Saltys wrote:
> > I looked at server configurations but i couldn't find anything usefull. I
> > tried to change IE settings to accept all cookies but nothing changed.
> >
> > Maybe someone knows where's the problem..
> 
> I dont know of all the specifics of your situation, but I know when it 
> happened to my code, it boiled down to a cookie problem.  (I never 
> experienced it first hand unless I turned off cookies in my own browser.  I 
> saw it was happening for other users on my code).
> So what I eventually did, was modified my code to work with browsers that do 
> not store cookies (for what ever reason that may be).
> By that I mean to pass the session id in the url and in forms...

I know i can pass the session id by url.. But this solution is ugly and hopefully not 
the only one there is..
The problem is as i understand IE is not accepting the cookie. So the session id 
allways regenerates. Everything works fine with mozilla.

The strangest part of the show is some pc's that have IE installed accepts those 
cookies. I turned 'accept ALL cookies'. Same result..

Maybe ... this could be a domain problem.. 

The only thing i want to know is all the truth about IE (6?) and cookies :)

Heeelp :)

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] session id changing all the time on some pc's

2004-07-02 Thread Gerard Samuel 
On Friday 02 July 2004 12:12 pm, Zilvinas Saltys wrote:
> I looked at server configurations but i couldn't find anything usefull. I
> tried to change IE settings to accept all cookies but nothing changed.
>
> Maybe someone knows where's the problem..

I dont know of all the specifics of your situation, but I know when it 
happened to my code, it boiled down to a cookie problem.  (I never 
experienced it first hand unless I turned off cookies in my own browser.  I 
saw it was happening for other users on my code).
So what I eventually did, was modified my code to work with browsers that do 
not store cookies (for what ever reason that may be).
By that I mean to pass the session id in the url and in forms...

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Session Id in forms

2003-09-10 Thread Justin French 
This is done by PHP's enable-trans-sid directive.  The simple solution 
would be to disable trand-sid in the php.ini file, but you may rely on 
it to maintain sessions on non-cookie users.

So, then there is this directive in php.ini:

; The URL rewriter will look for URLs in a defined set of HTML tags.
; form/fieldset are special; if you include them here, the rewriter will
; add a hidden  field with the info which is otherwise appended
; to URLs.  If you want XHTML conformity, remove the form entry.
; Note that all valid entries require a "=", even if no value follows.
url_rewriter.tags = 
"a=href,area=href,frame=src,input=src,form=,fieldset="

1. you may be able to experiment with this setting to change how it 
does things.  For example removing form= will solve your problem, but 
you may lose sessions, so you may have to MANUALLY insert the session 
id into the form as the last form element yourself, or put it in the 
URL YOURSELF.

2. changing form= to form=target may force the session stuff into the 
URL, rather than as a form element

You'll have to experiment a bit, and if you're on a shared server, 
you'll have to see if this directive can be changed in a .htaccess 
file, etc etc.

Justin French

On Thursday, September 11, 2003, at 02:31  AM, Gustavo Del Castillo 
Meza wrote:

Hi, been having some problems with sessions. When i use a session and 
a form
on the same page. Sometimes php will create a form object called
PHP_SESSIONID.
Since this is inserted as the first object of the form, this will 
screw up
my javascript validation, wich uses the form element index, i dont 
want to
change this because is generated by OOH forms .
Is the a way to make this object appear at the end of the form?

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
---
[This E-mail scanned for viruses]

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Session ID as a regex

2003-08-05 Thread Jason Wong 
On Wednesday 06 August 2003 02:28, Gerard Samuel wrote:
> How would you best describe a session id as a regex?
> [a-z0-9]{32}
>
> Just checking to see if any other characters can be in a session id.

I think [a-f0-9]{32} is sufficient.

-- 
Jason Wong -> Gremlins Associates -> www.gremlins.biz
Open Source Software Systems Integrators
* Web Design & Hosting * Internet & Intranet Applications Development *
--
Search the list archives before you post
http://marc.theaimsgroup.com/?l=php-general
--
/*
Are you selling NYLON OIL WELLS??  If so, we can use TWO DOZEN!!
*/


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] session id

2003-03-25 Thread CPT John W. Holmes 
> > can somebody tell me why I am getting this:
> > Warning: session_start() [function.session-start]: Cannot send session
> > cookie - headers already sent by (output started at
> > c:\inetpub\wwwroot\search.php:8) in c:\inetpub\wwwroot\search.php on
line 21
> >
> > Warning: session_start() [function.session-start]: Cannot send session
cache
> > limiter - headers already sent (output started at
> > c:\inetpub\wwwroot\search.php:8) in c:\inetpub\wwwroot\search.php on
line 21
> >
> >
> > when I use this code:
> >
> > session_start();
> > if (!isset($_SESSION['count'])) {
> >   $_SESSION['count'] = 0;
> > }
> >
> >
> > PHP is version 4.3.1
> >
> > thanx
> >
> >
>
> You cannot send any output until the session is set
>
> This includes html before the http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] session id

2003-03-25 Thread Ryan Gibson 
On 25/3/03 2:37 pm, "Iggy" <[EMAIL PROTECTED]> wrote:

> can somebody tell me why I am getting this:
> Warning: session_start() [function.session-start]: Cannot send session
> cookie - headers already sent by (output started at
> c:\inetpub\wwwroot\search.php:8) in c:\inetpub\wwwroot\search.php on line 21
> 
> Warning: session_start() [function.session-start]: Cannot send session cache
> limiter - headers already sent (output started at
> c:\inetpub\wwwroot\search.php:8) in c:\inetpub\wwwroot\search.php on line 21
> 
> 
> when I use this code:
> 
> session_start();
> if (!isset($_SESSION['count'])) {
>   $_SESSION['count'] = 0;
> }
> 
> 
> PHP is version 4.3.1
> 
> thanx
> 
> 

You cannot send any output until the session is set

This includes html before the http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] session id generation

2003-03-12 Thread Ernest E Vogelsinger 
At 19:50 12.03.2003, Mathieu Dumoulin spoke out and said:
[snip]
>Hi, i'd like to know how PHP determines what session_id to hand out to
>users.
>
>Is it based on some real value like the browser and the ip address? an
>incremental number? I want to make sure that it doesnt provide two same
>session id for the different users at the same time.
[snip] 

{php_source_directory}/ext/session/session.c
this has it all - look for _php_create_id().

Basically it generates an MD5 digest from the current secs and usecs
(system time) and a pseudo-random number (see php_combined_lcg() in
standard/lcg.c). If an entropy file is available (usually on unix systems)
it uses the entropy to further randomize the digest. In a final step the
digest is converted to a hex string.


-- 
   >O Ernest E. Vogelsinger 
   (\) ICQ #13394035 
^ http://www.vogelsinger.at/


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] session id

2003-02-06 Thread Rich Gray 
> -Original Message-
> From: Edward Peloke [mailto:[EMAIL PROTECTED]]
> Sent: 06 February 2003 13:56
> To: Php-General@Lists. Php. Net
> Subject: [PHP] session id
>
>
> Ok, I am sure this has been discussed but I have not been keeping up with
> the listserv.  I am using sessions so to test, I blocked all
> cookies and of
> course the sessionid is then in the url.  How can I hide it from the
> url?...or is this even possible?
>
> Thanks,
> Eddie

If you disable session.use_trans_sid in your php.ini then session id's will
not get passed via the url if cookies are being refused. But then of course
your session support is gone for that particular browser/user.

Rich


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php