Don't display session ID???

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
jwang
Forum Newbie
Posts: 8
Joined: Thu Oct 23, 2003 2:47 am

Don't display session ID???

Post by jwang »

I want the address bar doesn't display session ID with my variable, how can I config PHP.ini file or other way to prevent it??

Thanks!
User avatar
scorphus
Forum Regular
Posts: 589
Joined: Fri May 09, 2003 11:53 pm
Location: Belo Horizonte, Brazil
Contact:

Post by scorphus »

Set
• session.use_cookies=1
• session.use_only_cookies=0
PHP Manual: [url=http://www.php.net/ref.session]XCIV. Session handling functions[/url] wrote:session.use_cookies boolean
session.use_cookies specifies whether the module will use cookies to store the session id on the client side. Defaults to 1 (enabled).

session.use_only_cookies boolean
session.use_only_cookies specifies whether the module will only use cookies to store the session id on the client side. Defaults to 0 (disabled, for backward compatibility). Enabling this setting prevents attacks involved passing session ids in URLs. This setting was added in PHP 4.3.0.
Cheers,
Scorphus.
User avatar
infolock
DevNet Resident
Posts: 1708
Joined: Wed Sep 25, 2002 7:47 pm

Post by infolock »

also good to note is this clip from the manual at php.net :
The session module supports both methods. Cookies are optimal, but because they are not always available, we also provide an alternative way. The second method embeds the session id directly into URLs.

PHP is capable of transforming links transparently. Unless you are using PHP 4.2 or later, you need to enable it manually when building PHP. Under UNIX, pass [php_man] --enable-trans-sid [/php_man] to configure. If this build option and the run-time option session.use_trans_sid are enabled, relative URIs will be changed to contain the session id automatically.

Note: The [php_man] arg_separator.output php.ini [/php_man] directive allows to customize the argument seperator. For full XHTML conformance, specify & there.


Alternatively, you can use the constant SID which is always defined. If the client did not send an appropriate session cookie, it has the form session_name=session_id. Otherwise, it expands to an empty string. Thus, you can embed it unconditionally into URLs.
this was found in the sessions section located here : [php_man]session[/php_man]
Paddy
Forum Contributor
Posts: 244
Joined: Wed Jun 11, 2003 8:16 pm
Location: Hobart, Tas, Aussie
Contact:

Post by Paddy »

Ummm...I am pretty crap when it comes to security so this may not be the best way and may very well be one of the worst ways. But I use this instead of SID. I just don't trust users. Before you know it they are copying and pasting the URL and sending the SID off to their buddies...

Code: Select all

<?php
session_start();
if (!(isset($_SESSION['session'])))
{
$_SESSION['session'] = md5(uniqid(rand()));
$session = $_SESSION['session'];
}
?>
jwang
Forum Newbie
Posts: 8
Joined: Thu Oct 23, 2003 2:47 am

Post by jwang »

Paddy wrote:Ummm...I am pretty crap when it comes to security so this may not be the best way and may very well be one of the worst ways. But I use this instead of SID. I just don't trust users. Before you know it they are copying and pasting the URL and sending the SID off to their buddies...

Code: Select all

<?php
session_start();
if (!(isset($_SESSION['session'])))
{
$_SESSION['session'] = md5(uniqid(rand()));
$session = $_SESSION['session'];
}
?>

Code: Select all

<?php
<?php 
session_start(); 
if (!(isset($_SESSION['username']))) 
{ 
$_SESSION['username'] = md5(uniqid(rand())); 
$session = $_SESSION['username'];
}
echo("<a href=test>test session</a>");
?>
?>
and the URLs bar display: test&SSID=.....

this code doesn't work?
You can visit at: http://test.usabestof.com/session_test.php

Please help me!
User avatar
scorphus
Forum Regular
Posts: 589
Joined: Fri May 09, 2003 11:53 pm
Location: Belo Horizonte, Brazil
Contact:

Post by scorphus »

I don't get test&SSID= on my browser. It just dislpays:

Code: Select all

<a href=test>test session</a>
User avatar
infolock
DevNet Resident
Posts: 1708
Joined: Wed Sep 25, 2002 7:47 pm

Post by infolock »

8O

worked for me
Paddy
Forum Contributor
Posts: 244
Joined: Wed Jun 11, 2003 8:16 pm
Location: Hobart, Tas, Aussie
Contact:

Post by Paddy »

It does work. I just accidentally left the extra php tags in. :oops: I edited it pretty damn quick though. You guys are just quicker. :)

Any comments on the use of this code for sessions?
jwang
Forum Newbie
Posts: 8
Joined: Thu Oct 23, 2003 2:47 am

Post by jwang »

scorphus wrote:I don't get test&SSID= on my browser. It just dislpays:

Code: Select all

<a href=test>test session</a>
Yeh! If you click on the link you won't get that but when you drag on the link and you can see the SSID on status bar. (The link click had process.)

It doen's work for me?
User avatar
infolock
DevNet Resident
Posts: 1708
Joined: Wed Sep 25, 2002 7:47 pm

Post by infolock »

dude, i just don't see where you are getting the SSID at all cuz i don't see it. maybe you have an older brower or something, dunno.
User avatar
scorphus
Forum Regular
Posts: 589
Joined: Fri May 09, 2003 11:53 pm
Location: Belo Horizonte, Brazil
Contact:

Post by scorphus »

jwang wrote:Yeh! If you click on the link you won't get that but when you drag on the link and you can see the SSID on status bar. (The link click had process.)

It doen's work for me?
I don't get SSID at all, nor in the status bar: http://test.usabestof.com/test

It seems to be working for me too. Make the test.php echo the $_SESSION['username'] var, so we can check if it is working.

Cheers,
Scorphus.
User avatar
twigletmac
Her Royal Site Adminness
Posts: 5371
Joined: Tue Apr 23, 2002 2:21 am
Location: Essex, UK

Post by twigletmac »

Check your cookie settings in your browser - if the session cookie can't be set then you'd expect to see the session ID in the URL.

Mac
Post Reply