Don't display session ID???
Moderator: General Moderators
Don't display session ID???
I want the address bar doesn't display session ID with my variable, how can I config PHP.ini file or other way to prevent it??
Thanks!
Thanks!
- scorphus
- Forum Regular
- Posts: 589
- Joined: Fri May 09, 2003 11:53 pm
- Location: Belo Horizonte, Brazil
- Contact:
Set
• session.use_cookies=1
• session.use_only_cookies=0
Scorphus.
• session.use_cookies=1
• session.use_only_cookies=0
Cheers,PHP Manual: [url=http://www.php.net/ref.session]XCIV. Session handling functions[/url] wrote:session.use_cookies boolean
session.use_cookies specifies whether the module will use cookies to store the session id on the client side. Defaults to 1 (enabled).
session.use_only_cookies boolean
session.use_only_cookies specifies whether the module will only use cookies to store the session id on the client side. Defaults to 0 (disabled, for backward compatibility). Enabling this setting prevents attacks involved passing session ids in URLs. This setting was added in PHP 4.3.0.
Scorphus.
also good to note is this clip from the manual at php.net :
this was found in the sessions section located here : [php_man]session[/php_man]The session module supports both methods. Cookies are optimal, but because they are not always available, we also provide an alternative way. The second method embeds the session id directly into URLs.
PHP is capable of transforming links transparently. Unless you are using PHP 4.2 or later, you need to enable it manually when building PHP. Under UNIX, pass [php_man] --enable-trans-sid [/php_man] to configure. If this build option and the run-time option session.use_trans_sid are enabled, relative URIs will be changed to contain the session id automatically.
Note: The [php_man] arg_separator.output php.ini [/php_man] directive allows to customize the argument seperator. For full XHTML conformance, specify & there.
Alternatively, you can use the constant SID which is always defined. If the client did not send an appropriate session cookie, it has the form session_name=session_id. Otherwise, it expands to an empty string. Thus, you can embed it unconditionally into URLs.
-
Paddy
- Forum Contributor
- Posts: 244
- Joined: Wed Jun 11, 2003 8:16 pm
- Location: Hobart, Tas, Aussie
- Contact:
Ummm...I am pretty crap when it comes to security so this may not be the best way and may very well be one of the worst ways. But I use this instead of SID. I just don't trust users. Before you know it they are copying and pasting the URL and sending the SID off to their buddies...
Code: Select all
<?php
session_start();
if (!(isset($_SESSION['session'])))
{
$_SESSION['session'] = md5(uniqid(rand()));
$session = $_SESSION['session'];
}
?>Paddy wrote:Ummm...I am pretty crap when it comes to security so this may not be the best way and may very well be one of the worst ways. But I use this instead of SID. I just don't trust users. Before you know it they are copying and pasting the URL and sending the SID off to their buddies...
Code: Select all
<?php session_start(); if (!(isset($_SESSION['session']))) { $_SESSION['session'] = md5(uniqid(rand())); $session = $_SESSION['session']; } ?>
Code: Select all
<?php
<?php
session_start();
if (!(isset($_SESSION['username'])))
{
$_SESSION['username'] = md5(uniqid(rand()));
$session = $_SESSION['username'];
}
echo("<a href=test>test session</a>");
?>
?>this code doesn't work?
You can visit at: http://test.usabestof.com/session_test.php
Please help me!
- scorphus
- Forum Regular
- Posts: 589
- Joined: Fri May 09, 2003 11:53 pm
- Location: Belo Horizonte, Brazil
- Contact:
I don't get test&SSID= on my browser. It just dislpays:
Code: Select all
<a href=test>test session</a>Yeh! If you click on the link you won't get that but when you drag on the link and you can see the SSID on status bar. (The link click had process.)scorphus wrote:I don't get test&SSID= on my browser. It just dislpays:Code: Select all
<a href=test>test session</a>
It doen's work for me?
- scorphus
- Forum Regular
- Posts: 589
- Joined: Fri May 09, 2003 11:53 pm
- Location: Belo Horizonte, Brazil
- Contact:
I don't get SSID at all, nor in the status bar: http://test.usabestof.com/testjwang wrote:Yeh! If you click on the link you won't get that but when you drag on the link and you can see the SSID on status bar. (The link click had process.)
It doen's work for me?
It seems to be working for me too. Make the test.php echo the $_SESSION['username'] var, so we can check if it is working.
Cheers,
Scorphus.
- twigletmac
- Her Royal Site Adminness
- Posts: 5371
- Joined: Tue Apr 23, 2002 2:21 am
- Location: Essex, UK