as far as i've been able to figure, you don't _have_ to give session call a session name to regain the session data. if you don't supply a name, it looks for the previous session for that computer. or you could pass it one through your forms or what have you. regardless, you can compile your php engine to pass session ids transperantly. not sure if that is all versionss. works in 4+. anyway, in that case, no url with a SID to copy. and since the session is started by checking if the computer asking for the session data is the one that started the initial session, jonny doe can't send a url to his friend, have them paste it in and use the previous session. if the php engine is configured to not use cookies, then the session data gets stored in a file in the server system temp or otherwise defined temp directory. (life determined as mention earlier).
hope i got that mostly right. :) ----------------------------------------------- Brian Schneider [EMAIL PROTECTED] || [EMAIL PROTECTED] WSU Mechanical Engineering ----------------------------------------------- "May the gods give you that which you deserve." ----------------------------------------------- On Wed, 23 Jan 2002 at 5:56pm, Jason G. cried forth in a loud voice saying: > At 09:35 AM 1/23/2002 +0100, Nick Wilson wrote: > >-----BEGIN PGP SIGNED MESSAGE----- > >Hash: SHA1 > > > > > >* and then Jason G. blurted.... > > > If cookies do not work, then you must have a session_id appended to the > > > URL. HTTP is a "stateless" protocol. So every time you make a request > > via > > > HTTP, you must let PHP know what the session_id is either through cookies, > > > or url query strings (or possibly posted with a form). > > > >Yep, now I'm with you. The amount of times you'd see that kind of ugly > >URL would be fairly minimal in most situations as most users these days > >aren't even aware they *can* disable cookies. > > > > > > > >> disable cookies, but appending the session ID could be a security risk. > > > >> Consider this: Someone is viewing a page and says "oh cool, I want Joe > > > >> to see this". He then copy/pastes the URL, sessionID and all, to Joe, > > > >> who then loads up the page using his friend's SessionID. With cookies, > > > >> this would not happen. > > > > > > > >Not a problem. The session is *destroyed* as soon as a user closes the > > > >browser. > > > > > > A session will only be *destroyed* if it uses a cookie. PHP never knows > > > when you close the browser, but the browser will remove the cookie. Next > > > time you fire up the browser, it will not send the cookie, and a different > > > session will be started. > > > >Sure. But there is some kind of clean on the host machine right? You > >couldn't expect to continue a session a week later because you've > >bookmarked a URL containind a SID. > >I think this is controlled by something like a timeout var in the > >php.ini. > Yeah, the sessions will time out and be cleaned up, but that applies just > as much for cookie based sessions as url based sessions. > > > > > In my personal experience, using cookies only has not proven to be a > > > problem. Your call. > I run several sites that have secure login's (Username and password). And > i do require the members to have cookies enabled in order for them to login. > > If anyone has a problem with it, then they tell their browser to destroy > the cookies when they close the browser, or only accept cookies from my sites. > > >When you say using cookies only do you mean 'requiring' the user to have > >cookies enabled? > > > >- -- > > > >Nick Wilson > > > >Tel: +45 3325 0688 > >Fax: +45 3325 0677 > >Web: www.explodingnet.com > > > -Jason Garber > IonZoft.com > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > To contact the list administrators, e-mail: [EMAIL PROTECTED] > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
