[nycphp-talk] Auth and cookies

Chris Shiflett shiflett at
Fri Jan 21 12:12:52 EST 2005

--- Matthew Terenzio <matt at> wrote:
> It seems like the only way I can get PEAR Auth to use cookies
> is with session.use_only_cookies.

Disclaimer: I've never used PEAR::Auth.

> session.use_cookies was enabled but the URLs were being
> rewritten by default even though my client was accepting
> cookies.
> Kind of vague, I know, but since everthing works fine when I
> toggle use_only_cookies, I find it strange.

(This seems to be related to sessions, not specifically to PEAR::Auth.)

As a guess, it sounds like you were only observing the first page, at
which time PHP cannot determine whether the user has enabled cookies. It
will rewrite all URLs to append the session identifier, and it will also
set a cookie. On the next page, it can determine whether cookies are
enabled (in which case it will no longer rewrite URLs) or disabled (in
which case it's a good thing the session identifier was also propagated in
the URL).

If you use session.use_only_cookies, you're basically saying that it's
fine for a user who does not enable cookies to lose session, so PHP won't
bother with rewriting URLs, even on the first page.

This rewriting behavior depends upon session.use_trans_sid, which seems to

Hope that helps.


Chris Shiflett -

PHP Security - O'Reilly     HTTP Developer's Handbook - Sams
Coming Soon       

More information about the talk mailing list