PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
<?php
if (!$_SESSION['auth']) {
echo "You need to either sign-up or log-in to view/make comments. Please select a action below:<br>
<a href=register.php>Sign-up</a><br>";
} else {
$user = $_SESSION['username'];
echo "You are logged in, $user";
}
?>
Simple enough. My question: When I hover over the link to register.php, it also adds the PHPSESSID=whatever onto the url. I dont want that to be displayed in the url, I just want it to have the url with just register.php.
As for weather it's right or wrong, well the session id has to be stored somewhere on the users computer and on the server. Removing it from the URL may only make your log files easier to analyze. You may want to look into use session only cookies that expire when the browser closes, if your really worried about hijacking.
really i was using sessions to verify a user was logged in or not. or a user was registerd.
on the page I had the code, it dont matter if the user was registered/logged in, so really I dont know "why" it put that in the URL.
My question still remains, WHY does it generate the PHPSESSID for the link? No sessions were made, just the session_start() on top.
Bit more info if it helps, on register.php, if all fields come good and theres no username and all that hookus pokus, it INSERTS the data into the MySQL as well as assign $_SESSION['username']; to the $_POST username from the form. as well as set $_SESSION['auth'] to true.
I think you're experiencing use_trans_sid as detailed here.
" If this build option and the run-time option session.use_trans_sid are enabled, relative URIs will be changed to contain the session id automatically."
So by disabling use_trand_sid in your php.ini or using an absolute url (http://foo.com/register.php) that should stop the session id being auto appended to the url.
When you use session_start() it assigns the user a session id or retrieves the current session id. The session id is passed back and forth between the user and the server one of two ways:
1. Via the URL, which you have seen already with PHPSESSID.
or
2. Via a cookie.
The session id basically identifies the $_SESSION variable (which are stored on the server) for a perticular user. The only thing the user has on his computer is the PHPSESSID (the session id).