NYCPHP Meetup

[Analysis & Solutions]

Hi Folks:

On Fri, Jul 18, 2003 at 02:53:35PM -0400, David Mintz wrote:
> 
> Do you guys use URL rewriting to ensure that the session id is propagated
> from page to page even if the user refuses your cookie?

Yes.  It guarantees access to your resources.  I don't even bother with 
cookies, because managing them differs slightly from browser to browser.  
Even if users accept one cookie from you, there's no guarantee they'll 
continue to do so, thus, it's difficult to manage sessions reliably with 
them.


> I've read somewhere that it can cause 'confusion' or 'problems' if the
> user bookmarks a URL with a session id in the query string, and tries to
> access the page after the session is over, but those readings did not say
> whether you should really worry about it or what the worst case scenario
> is.

This can happen with cookie based sessions too if the cookie hasn't 
expired or been deleted by the next time the user arrives.

It's not a problem if you structure your system effectively.  The way to
handle situations like these is to have your session system keep track of
the last time the session was used.  If it's longer than your timeout,
kill the old session and start a new one... and if the current page
requires authorization, don't show them the stuff.

I just whipped up a new session manager which takes advantage of PHP's 
transparent session id propagation, plus some other handy tricks.  It's 
available on my website:
   http://www.analysisandsolutions.com/software/session-simple/

I'd love to get some peer review on the program, so please check it out.

Enjoy,

--Dan

-- 
     FREE scripts that make web and database programming easier
           http://www.analysisandsolutions.com/software/
 T H E   A N A L Y S I S   A N D   S O L U T I O N S   C O M P A N Y
 4015 7th Ave #4AJ, Brooklyn NY    v: 718-854-0335   f: 718-854-0409