Page 1 of 1

session(s)

Posted: Mon Apr 05, 2004 11:23 am
by tim
I just have a question. I really just dipped my toes into sessions.

anyway, I have this code here:

Code: Select all

<?php
if (!$_SESSION['auth']) { 
   echo "You need to either sign-up or log-in to view/make comments. Please select a action below:<br>
         <a href=register.php>Sign-up</a><br>"; 
} else {
$user = $_SESSION['username'];
echo "You are logged in, $user";
}
?>
Simple enough. My question: When I hover over the link to register.php, it also adds the PHPSESSID=whatever onto the url. I dont want that to be displayed in the url, I just want it to have the url with just register.php.

I know it cant be safe for that to be in the url.

Please help

Posted: Mon Apr 05, 2004 2:04 pm
by Buddha443556
Tim I think you posted this in the wrong forum? However, I think the setting your looking for is:

Code: Select all

session.use_only_cookies = 1
That should get rid of the PHPSESSID in the URL.

As for weather it's right or wrong, well the session id has to be stored somewhere on the users computer and on the server. Removing it from the URL may only make your log files easier to analyze. You may want to look into use session only cookies that expire when the browser closes, if your really worried about hijacking.

Posted: Mon Apr 05, 2004 3:16 pm
by tim
well

really i was using sessions to verify a user was logged in or not. or a user was registerd.

on the page I had the code, it dont matter if the user was registered/logged in, so really I dont know "why" it put that in the URL.

My question still remains, WHY does it generate the PHPSESSID for the link? No sessions were made, just the session_start() on top.

Bit more info if it helps, on register.php, if all fields come good and theres no username and all that hookus pokus, it INSERTS the data into the MySQL as well as assign $_SESSION['username']; to the $_POST username from the form. as well as set $_SESSION['auth'] to true.

please help me understand this

Posted: Mon Apr 05, 2004 3:24 pm
by markl999
I think you're experiencing use_trans_sid as detailed here.
" If this build option and the run-time option session.use_trans_sid are enabled, relative URIs will be changed to contain the session id automatically."

So by disabling use_trand_sid in your php.ini or using an absolute url (http://foo.com/register.php) that should stop the session id being auto appended to the url.

Posted: Mon Apr 05, 2004 3:35 pm
by tim
excellent mark - thats what I was looking for.

lil unclear on it, but now I know what to research

kudos shooter

Posted: Mon Apr 05, 2004 3:38 pm
by Buddha443556
I'll try to explain.

When you use session_start() it assigns the user a session id or retrieves the current session id. The session id is passed back and forth between the user and the server one of two ways:

1. Via the URL, which you have seen already with PHPSESSID.

or

2. Via a cookie.

The session id basically identifies the $_SESSION variable (which are stored on the server) for a perticular user. The only thing the user has on his computer is the PHPSESSID (the session id).

Hope that helps, I'm a lousy teacher.

Posted: Mon Apr 05, 2004 6:56 pm
by tim
yeah I understand how sessions are stored but I couldnt see why it was doing it.

Even after I deleted session_start() it "still" showed the PHPSESSID.

thanks for the explanation :D