NYCPHP Meetup

NYPHP.org

[nycphp-talk] Session basics

Matthew Terenzio matt at jobsforge.com
Mon Aug 22 13:22:28 EDT 2005 

Not sure if this helps, but just in case . . .

http://lists.nyphp.org/pipermail/talk/2005-January/013648.html


On Aug 22, 2005, at 12:29 PM, Brian O'Connor wrote:

> Ahh, now I'm still confused :\
>
>  I added this to a main included file at the top:
>
>  ini_set("session.use_trans_sid", 0);
>
>  ini_set("session.use_only_cookies", 1);
>
>  However, I'm still seeing "?PHPSESSID=xxxxxxxxxxx" in my URL's.
>
>  I apologize in advance if I'm getting this wrong, but I tested it in 
> IE and Firefox, and no luck either way.  Not to mention that cookies 
> are enabled on both browsers so it shouldn't even be resorting to the 
> URL. 
>
>  I then put
>
>  echo ini_get("session.use_only_cookies");
>
>  and the output is 1, but it is still giving the sessid through the 
> URL.  If anyone knows whats going on, I would appreciate some help 
> fixing this :\  Thanks.
>
> On 8/21/05, Billy Pilgrim <bpilgrim1979 at gmail.com> 
> wrote:shiflett at php.net> wrote:
>> > Aaron Fischer wrote:
>> > > If the session has expired such as in browser close or timeout, 
>> the
>> > > bookmarked page won't be a liability as the session id in the URL 
>> won't
>> > > find a matching session id on the server.
>> >
>> > The server doesn't know when the browser is closed, so that part's 
>> not
>> > right. It is true that a session timeout (on the server side) offers
>>  > some protection against this type of accidental hijacking.
>>
>> A bookmarked session id might not result in a hijacked session, but
>> it's not a good idea have session ids exposed and kept around like
>> that.
>>
>> Consider another example:  Someone is logged into a newspaper site and
>> sees an interesing article.  The user copies the url (with session id)
>> and pastes it in an email to a friend.  If the friend receives the
>>  email quickly and the server has a long timeout, accidential session
>> hijacking could occur.
>>
>> The primary reason to have a session id in the url is if the browser
>> doesn't support cookies, right?
>> _______________________________________________
>> New York PHP Talk Mailing List
>> AMP Technology
>> Supporting Apache, MySQL and PHP
>> http://lists.nyphp.org/mailman/listinfo/talk
>>  http://www.nyphp.org
>
>
>
> -- 
> Brian O'Connor_______________________________________________
> New York PHP Talk Mailing List
> AMP Technology
> Supporting Apache, MySQL and PHP
> http://lists.nyphp.org/mailman/listinfo/talk
> http://www.nyphp.org

More information about the talk mailing list