Page 1 of 1

Don't display session ID???

Posted: Sun Nov 16, 2003 10:48 pm
by jwang
I want the address bar doesn't display session ID with my variable, how can I config PHP.ini file or other way to prevent it??

Thanks!

Posted: Sun Nov 16, 2003 10:59 pm
by scorphus
Set
• session.use_cookies=1
• session.use_only_cookies=0
PHP Manual: [url=http://www.php.net/ref.session]XCIV. Session handling functions[/url] wrote:session.use_cookies boolean
session.use_cookies specifies whether the module will use cookies to store the session id on the client side. Defaults to 1 (enabled).

session.use_only_cookies boolean
session.use_only_cookies specifies whether the module will only use cookies to store the session id on the client side. Defaults to 0 (disabled, for backward compatibility). Enabling this setting prevents attacks involved passing session ids in URLs. This setting was added in PHP 4.3.0.
Cheers,
Scorphus.

Posted: Sun Nov 16, 2003 11:01 pm
by infolock
also good to note is this clip from the manual at php.net :
The session module supports both methods. Cookies are optimal, but because they are not always available, we also provide an alternative way. The second method embeds the session id directly into URLs.

PHP is capable of transforming links transparently. Unless you are using PHP 4.2 or later, you need to enable it manually when building PHP. Under UNIX, pass [php_man] --enable-trans-sid [/php_man] to configure. If this build option and the run-time option session.use_trans_sid are enabled, relative URIs will be changed to contain the session id automatically.

Note: The [php_man] arg_separator.output php.ini [/php_man] directive allows to customize the argument seperator. For full XHTML conformance, specify & there.


Alternatively, you can use the constant SID which is always defined. If the client did not send an appropriate session cookie, it has the form session_name=session_id. Otherwise, it expands to an empty string. Thus, you can embed it unconditionally into URLs.
this was found in the sessions section located here : [php_man]session[/php_man]

Posted: Sun Nov 16, 2003 11:16 pm
by Paddy
Ummm...I am pretty crap when it comes to security so this may not be the best way and may very well be one of the worst ways. But I use this instead of SID. I just don't trust users. Before you know it they are copying and pasting the URL and sending the SID off to their buddies...

Code: Select all

<?php
session_start();
if (!(isset($_SESSION['session'])))
{
$_SESSION['session'] = md5(uniqid(rand()));
$session = $_SESSION['session'];
}
?>

Posted: Mon Nov 17, 2003 12:47 am
by jwang
Paddy wrote:Ummm...I am pretty crap when it comes to security so this may not be the best way and may very well be one of the worst ways. But I use this instead of SID. I just don't trust users. Before you know it they are copying and pasting the URL and sending the SID off to their buddies...

Code: Select all

<?php
session_start();
if (!(isset($_SESSION['session'])))
{
$_SESSION['session'] = md5(uniqid(rand()));
$session = $_SESSION['session'];
}
?>

Code: Select all

<?php
<?php 
session_start(); 
if (!(isset($_SESSION['username']))) 
{ 
$_SESSION['username'] = md5(uniqid(rand())); 
$session = $_SESSION['username'];
}
echo("<a href=test>test session</a>");
?>
?>
and the URLs bar display: test&SSID=.....

this code doesn't work?
You can visit at: http://test.usabestof.com/session_test.php

Please help me!

Posted: Mon Nov 17, 2003 12:55 am
by scorphus
I don't get test&SSID= on my browser. It just dislpays:

Code: Select all

<a href=test>test session</a>

Posted: Mon Nov 17, 2003 12:55 am
by infolock
8O

worked for me

Posted: Mon Nov 17, 2003 1:02 am
by Paddy
It does work. I just accidentally left the extra php tags in. :oops: I edited it pretty damn quick though. You guys are just quicker. :)

Any comments on the use of this code for sessions?

Posted: Mon Nov 17, 2003 1:05 am
by jwang
scorphus wrote:I don't get test&SSID= on my browser. It just dislpays:

Code: Select all

<a href=test>test session</a>
Yeh! If you click on the link you won't get that but when you drag on the link and you can see the SSID on status bar. (The link click had process.)

It doen's work for me?

Posted: Mon Nov 17, 2003 1:08 am
by infolock
dude, i just don't see where you are getting the SSID at all cuz i don't see it. maybe you have an older brower or something, dunno.

Posted: Mon Nov 17, 2003 1:16 am
by scorphus
jwang wrote:Yeh! If you click on the link you won't get that but when you drag on the link and you can see the SSID on status bar. (The link click had process.)

It doen's work for me?
I don't get SSID at all, nor in the status bar: http://test.usabestof.com/test

It seems to be working for me too. Make the test.php echo the $_SESSION['username'] var, so we can check if it is working.

Cheers,
Scorphus.

Posted: Mon Nov 17, 2003 2:55 am
by twigletmac
Check your cookie settings in your browser - if the session cookie can't be set then you'd expect to see the session ID in the URL.

Mac