Don't display session ID???
Posted: Sun Nov 16, 2003 10:48 pm
I want the address bar doesn't display session ID with my variable, how can I config PHP.ini file or other way to prevent it??
Thanks!
Thanks!
A community of PHP developers offering assistance, advice, discussion, and friendship.
http://forums.devnetwork.net/
Cheers,PHP Manual: [url=http://www.php.net/ref.session]XCIV. Session handling functions[/url] wrote:session.use_cookies boolean
session.use_cookies specifies whether the module will use cookies to store the session id on the client side. Defaults to 1 (enabled).
session.use_only_cookies boolean
session.use_only_cookies specifies whether the module will only use cookies to store the session id on the client side. Defaults to 0 (disabled, for backward compatibility). Enabling this setting prevents attacks involved passing session ids in URLs. This setting was added in PHP 4.3.0.
this was found in the sessions section located here : [php_man]session[/php_man]The session module supports both methods. Cookies are optimal, but because they are not always available, we also provide an alternative way. The second method embeds the session id directly into URLs.
PHP is capable of transforming links transparently. Unless you are using PHP 4.2 or later, you need to enable it manually when building PHP. Under UNIX, pass [php_man] --enable-trans-sid [/php_man] to configure. If this build option and the run-time option session.use_trans_sid are enabled, relative URIs will be changed to contain the session id automatically.
Note: The [php_man] arg_separator.output php.ini [/php_man] directive allows to customize the argument seperator. For full XHTML conformance, specify & there.
Alternatively, you can use the constant SID which is always defined. If the client did not send an appropriate session cookie, it has the form session_name=session_id. Otherwise, it expands to an empty string. Thus, you can embed it unconditionally into URLs.
Code: Select all
<?php
session_start();
if (!(isset($_SESSION['session'])))
{
$_SESSION['session'] = md5(uniqid(rand()));
$session = $_SESSION['session'];
}
?>Paddy wrote:Ummm...I am pretty crap when it comes to security so this may not be the best way and may very well be one of the worst ways. But I use this instead of SID. I just don't trust users. Before you know it they are copying and pasting the URL and sending the SID off to their buddies...
Code: Select all
<?php session_start(); if (!(isset($_SESSION['session']))) { $_SESSION['session'] = md5(uniqid(rand())); $session = $_SESSION['session']; } ?>
Code: Select all
<?php
<?php
session_start();
if (!(isset($_SESSION['username'])))
{
$_SESSION['username'] = md5(uniqid(rand()));
$session = $_SESSION['username'];
}
echo("<a href=test>test session</a>");
?>
?>Code: Select all
<a href=test>test session</a>Yeh! If you click on the link you won't get that but when you drag on the link and you can see the SSID on status bar. (The link click had process.)scorphus wrote:I don't get test&SSID= on my browser. It just dislpays:Code: Select all
<a href=test>test session</a>
I don't get SSID at all, nor in the status bar: http://test.usabestof.com/testjwang wrote:Yeh! If you click on the link you won't get that but when you drag on the link and you can see the SSID on status bar. (The link click had process.)
It doen's work for me?