> Simply put - you can't. > > You need a way to transmit the session identifier, and AFAIK there's > nothing except either cookies or SID. > > Using SID for security relevant issues presents a problem - users can send > links with a SID to friends by mail or else, so this is not really a secure > solution. However there are numerous application parts where no security is > involved, and sessions are just used to construct a site - it's unnecessary > IMHO to avoid SID use here. > > On our server we have disabled session cookies in general, as a courtesy to > our users. However when logged in we require a user to accept a cookie. The > value of this cookie is randomly generated (something like "md5(rand())"), > and changes with every "click". This value (we call it a "login token" is > also stored in session data to verify the cookie against the session. If no > user token, or a wrong token, is transmitted, we assume a "hijacked" > session and automatically logout the user. (there's more to it, but > basically you get the idea)
This sounds like a pretty good idea to work around that problem :-) Does this system work, if the user decides to split "one session" accross multiple "Browser-Windows", i.e. the uses the "Open in new window"-Function of most browsers? -Sascha -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
