NYCPHP Meetup

NYPHP.org

[nycphp-talk] Session basics

Brian O'Connor gatzby3jr at gmail.com
Mon Aug 22 12:29:19 EDT 2005 

Ahh, now I'm still confused :\

I added this to a main included file at the top:

ini_set("session.use_trans_sid", 0);

ini_set("session.use_only_cookies", 1);

However, I'm still seeing "?PHPSESSID=xxxxxxxxxxx" in my URL's.

I apologize in advance if I'm getting this wrong, but I tested it in IE and 
Firefox, and no luck either way. Not to mention that cookies are enabled on 
both browsers so it shouldn't even be resorting to the URL. 

I then put 

echo ini_get("session.use_only_cookies");

and the output is 1, but it is still giving the sessid through the URL. If 
anyone knows whats going on, I would appreciate some help fixing this :\ 
Thanks.

On 8/21/05, Billy Pilgrim <bpilgrim1979 at gmail.com> wrote:
> 
> On 8/19/05, Chris Shiflett <shiflett at php.net> wrote:
> > Aaron Fischer wrote:
> > > If the session has expired such as in browser close or timeout, the
> > > bookmarked page won't be a liability as the session id in the URL 
> won't
> > > find a matching session id on the server.
> >
> > The server doesn't know when the browser is closed, so that part's not
> > right. It is true that a session timeout (on the server side) offers
> > some protection against this type of accidental hijacking.
> 
> A bookmarked session id might not result in a hijacked session, but
> it's not a good idea have session ids exposed and kept around like
> that.
> 
> Consider another example: Someone is logged into a newspaper site and
> sees an interesing article. The user copies the url (with session id)
> and pastes it in an email to a friend. If the friend receives the
> email quickly and the server has a long timeout, accidential session
> hijacking could occur.
> 
> The primary reason to have a session id in the url is if the browser
> doesn't support cookies, right?
> _______________________________________________
> New York PHP Talk Mailing List
> AMP Technology
> Supporting Apache, MySQL and PHP
> http://lists.nyphp.org/mailman/listinfo/talk
> http://www.nyphp.org
> 



-- 
Brian O'Connor
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050822/725accb1/attachment.html>

More information about the talk mailing list