Session or Not Session that is the question

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
AGISB
Forum Contributor
Posts: 422
Joined: Fri Jul 09, 2004 1:23 am

Session or Not Session that is the question

Post by AGISB »

I am having a litte problem. I am trying to authenticate users using a combination of www-authenticate and sessions.
My solution works except for the possible scenario of a user that has cookies disabled and therefore the session cookie is not created.

I want such a user to authenticate for every page instead of rejecting him altogether. No I got a problem I cannot solve due to probably a lack of understanding.

How is a session_start() handled if the sessioncookie is rejected and url trans is off as well?

Is a session_id created at all?

Can I use the $_SESSION array at all?

I am not sure about how sessions work in this case. I was thinking of check something like this in case the session is not created.

Code: Select all

<?php
if (!isset($_SESSION['auth'])) {
	$_SESSION['auth'] = 0;
}
if (!isset($_SESSION['auth'])) {
	// no session created
}
?>
User avatar
scorphus
Forum Regular
Posts: 589
Joined: Fri May 09, 2003 11:53 pm
Location: Belo Horizonte, Brazil
Contact:

Post by scorphus »

Read this section of the Sessions reference in the manual: http://www.php.net/manual/en/ref.sessio ... .idpassing

-- Scorphus
AGISB
Forum Contributor
Posts: 422
Joined: Fri Jul 09, 2004 1:23 am

Post by AGISB »

I understand how it works now but it doesn't help me to solve my problem.

In my case following should happen.

If a user without a session wants to login he can either be someone who comes there for the first time since his browser was opened or someone who has cookies turned off or even worth someone who individually accepts one cookie and rejects another.

Is there any way to determine what is the case?

If a user has cookies enabled all is fine. my authorize function is called and because his session is now registered he is granted access.

If cookies are turned off the authorize function is called and he does not get access as the authorize function sets a new header and the page basically gets reloaded. Due to the circumstance that cookies are disabled the user of course seems to be a fresh one again and the authorize function gets called once more and so on.

So if I decide that cookies are required it works ok but I want someone without cookies to get access for that page if the authorize was successfull and if he surfes further he will have to reauthorize every page so he can use the members section even so it is inconvenient.

Any solutions?
Post Reply