Re: [PHP] Re: session cookies enabled?
Edward Vermillion wrote: And the session id is open to being stored in a bookmark or worse, sent to someone else through a cut and paste of the URL. Depending on what information that id controls and how long the sessions are kept around id's in the URL could be a very bad thing indeed. Agreed (depending entirely on how your app was written), my point was simply that a trans ID will never give away anything more than a cookie does. In that respect, they're identical. Cheers, Rich -- Zend Certified Engineer http://www.corephp.co.uk "Never trust a computer you can't throw out of a window" -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: session cookies enabled?
On May 10, 2007, at 11:40 AM, Richard Davey wrote: [EMAIL PROTECTED] wrote: That being the case I can never find out (using the built-in sessions) until the second page request and it will always include the session cookie in the URL. Which means the value of the seesion cookie will be exposed, even if I am using SSL. :( Back to the drawing board... While using TRANS IDs are ugly, they will show no more or less information to the user than a session cookie contains. Most browsers have built-in support for viewing cookie contents these days. Doing so will show your PHP Session ID clearly. Trans IDs are no different, just more 'obvious' being in the URL and all. The actual data displayed is the same however. And the session id is open to being stored in a bookmark or worse, sent to someone else through a cut and paste of the URL. Depending on what information that id controls and how long the sessions are kept around id's in the URL could be a very bad thing indeed. Ed -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: session cookies enabled?
[EMAIL PROTECTED] wrote: That being the case I can never find out (using the built-in sessions) until the second page request and it will always include the session cookie in the URL. Which means the value of the seesion cookie will be exposed, even if I am using SSL. :( Back to the drawing board... While using TRANS IDs are ugly, they will show no more or less information to the user than a session cookie contains. Most browsers have built-in support for viewing cookie contents these days. Doing so will show your PHP Session ID clearly. Trans IDs are no different, just more 'obvious' being in the URL and all. The actual data displayed is the same however. Cheers, Rich -- Zend Certified Engineer http://www.corephp.co.uk "Never trust a computer you can't throw out of a window" -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Re: session cookies enabled?
Mike, Thanks for the super clear explanation. This brings up a question. In order to decide whether to use cookies or SID the built-in sessions must be testing to see if the user's browser will accept the session cookies. How do they do that? By sending it out and checking to see whether it comes back on the next page. ... That being the case I can never find out (using the built-in sessions) until the second page request and it will always include the session cookie in the URL. Which means the value of the seesion cookie will be exposed, even if I am using SSL. :( Back to the drawing board... Best, Craig -- - Virtual Phonecards - Instant Pin by Email - - Large Selection - Great Rates- - http://speedypin.com/?aff=743&co_branded=1 - -- ** ** * Craig Spencer * * [EMAIL PROTECTED]* ** ** -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Re: session cookies enabled?
On 09 May 2007 16:36, [EMAIL PROTECTED] wrote: > Ford, Mike writes: > > > > > You can also set up php.ini and use the built-in sessions with > > > > http://php.net/session_start so that PHP will take care of this > > > > for you. > > > > > > That is what I was intending to do. How do I find out if > > > whether or not the session cookie was accepted using the > > > built-in sessions? I found no function for such a test. > > > > Check the SID constant after you've done session_start(). If it has > > an empty value, the session is using cookies; otherwise, it'll have > > a value of the form 'sessionname=sessionid', which is what is > > appended to the URL (or inserted in forms as a hidden value) to > > propagate the session-id. > > Interesting idea. > > This brings up a question. In order to decide whether to use cookies > or SID the built-in sessions must be testing to see if the user's > browser will accept the session cookies. How do they do that? By sending it out and checking to see whether it comes back on the next page. Assuming your setup is: session.use_cookies = On session.use_only_cookies = Off session.use_trans_sid = On Then the sequence is this: 1. The first page involving a session will *both* send the cookie *and* append the SID to URLs in the page. 2. So the next page request will return the SID, and if cookies are enabled also the cookie. 3. On starting the session for this page, PHP will first look for the cookie: if it's present, its value will be used and SID defined as empty; if not, the browser must not be accepting cookies, so the value from the URL query string is used and SID is defined with the matching string. 4. PHP now knows whether cookies are in use *for this request*, and *either* sends the cookie *or* appends the SID to URLs in the page. 5. Requests from this page will thus *either* return the cookie *or* include the SID as a URL get parameter. 6. Go back to 3. Note that with this setup, you will *always* get at least one request with the SID in the URL. Any site that doesn't do this has use_only_cookies turned on or/and use_trans_sid turned off. > If they do it by the "2 page", send a cookie and see if it comes > back to the second page method we have been talking about, then > somehow, they are sureptiously inserting a forward to a non- > existant page! Right? How do they do that? No, see above: they simply wait for the next regular page request to come in and see if the cookie came with it. Nothing surreptitious or super-clever. Cheers! Mike - Mike Ford, Electronic Information Services Adviser, JG125, The Headingley Library, James Graham Building, Leeds Metropolitan University, Headingley Campus, LEEDS, LS6 3QS, United Kingdom Email: [EMAIL PROTECTED] Tel: +44 113 812 4730 Fax: +44 113 812 3211 To view the terms under which this email is distributed, please go to http://disclaimer.leedsmet.ac.uk/email.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: session cookies enabled?
On Wed, May 9, 2007 10:36 am, [EMAIL PROTECTED] wrote: > This brings up a question. In order to decide whether to use cookies > or SID the built-in sessions must be testing to see if the user's > browser will accept the session cookies. How do they do that? The same way you would do it. Actually, they might have just used: $cookie_name = session_name(); if (isset($_COOKIE[$cookie_name])){ $session_id = $_COOKIE[$cookie_name]; } elseif (isset($_REQUEST[$cookie_name])){ $session_id = $_REQUEST[$cookie_name]; } else{ $session_id = uniquid(); } > If they do it by the "2 page", send a cookie and see if it comes > back to the second page method we have been talking about, then > somehow, they are sureptiously inserting a forward to a non- > existant page! Right? How do they do that? No, that's not how it works. JUST send the dang cookie on every page. And check if it's there on every page. And whatever first page the user gets to, with no cookie, be sure you send them suitable content for having no cookie. -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Re: session cookies enabled?
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: 08 May 2007 20:57 > > You can also set up php.ini and use the built-in sessions with > > http://php.net/session_start so that PHP will take care of this for > > you. > > That is what I was intending to do. How do I find out if > whether or not the session cookie was accepted using the > built-in sessions? I found no function for such a test. Check the SID constant after you've done session_start(). If it has an empty value, the session is using cookies; otherwise, it'll have a value of the form 'sessionname=sessionid', which is what is appended to the URL (or inserted in forms as a hidden value) to propagate the session-id. Cheers! Mike Mike Ford, Electronic Information Services Adviser, JG125, The Headingley Library, James Graham Building, Headingley Campus, Beckett Park, LEEDS, LS6 3QS United Kingdom Tel: +44 113 812 4730 Fax: +44 113 812 3211 To view the terms under which this email is distributed, please go to http://disclaimer.leedsmet.ac.uk/email.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: session cookies enabled?
On Tue, May 8, 2007 5:50 pm, itoctopus wrote: > setcookie("cookie_name", "value"); > //redirect to another page using header > header("location:".$your_url); This will fail on some legacy browsers, if you need legacy browser support. In *MOST* architectures, your visitor can be given the cookie on a page "before" the cookie-needing page, or they can be given alternate content (i.e., a login) until you are happy with whatever cookie (and its implied state of existence) are presented. -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: session cookies enabled?
On Tue, May 8, 2007 2:56 pm, [EMAIL PROTECTED] wrote: > Richard Lynch writes: >> Send one cookie, see if it comes back, and if it does, tie >> everything to that cookie. > > OK. So how do I see if it comes back? if (isset($_COOKIE['foo'])){ //cookie came back } else{ //cookie did NOT come back } > I send the user a page that tries to set a session cookie. That > page would then have to forward him to a second page which would > check for the cookie being sent. Right? Yes. Send the cookie with the homepage, login page, or whatever they are first going to see. Don't show them anything they shouldn't see without the cookie. Check if they have a cookie. It's probably best to just do all this in an include file that you pull in on any page that needs cookies. You can even make the include file abort the rest of the page output if you want to require them to login with a valid session before going any further. > So I there is nothing I can check so I can do it with a single page? Oh. No. It does seem like that would be a Nifty thing for the browser to have sent with the first request, but that's just not the way it works. It's an inherent 2-request process. HTTP Request -> Reply with Cookie -> HTTP Request with Cookie (or not) You'd have to duke it out with Mozilla and Microsoft to get that to change, and they probably aren't gonna want to send a pre-acceptane-of-cookie letter of intent with every HTTP requrest... Especially not when the vast majority of HTTP requests don't need cookies anyway... Well, I never did a statistical analysis of that, but across the 'net as whole? Yeah, I think it's a pretty safe statement... >> You can also set up php.ini and use the built-in sessions with >> http://php.net/session_start so that PHP will take care of this >> for you. > > That is what I was intending to do. How do I find out if whether > or not the session cookie was accepted using the built-in sessions? You don't. You turn on the Cookies and the trans_sid in php.ini, and let PHP worry about whether it was cookies or not and re-write your URLs if it wasn't. Or maybe it just re-writes them no matter what anyway, but prefers the Cookie if it's there? Whatever. If, after doing that, you still feel the need to "know" if they used a cookie or not, then you can use http://php.net/set_session_params and choose a cookie/session name, and then you can test with: if (isset($_COOKIE['whatever_you_chose_in_set_session_params'])){ } and then you'll know if they used Cookies or Trans SID in URL... But you won't really care, as all the info you need is in $_SESSION either way, so it doesn't matter if they used a cookie or the ID in the URL or sent a little squirrel along the wire with an engraved acorn. -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php