session question
Moderator: General Moderators
session question
I have set up some session variables to pass data between pages. It works except the first page with a session_start() rewrites links with phpsessid added. the first page I link to from that page has the uri with phpsessid in the browser address line. subsequent pages and it disappears. It seems that it is only on the first page where the session is initialised that it happens. linking to the same page afterwards does not show the phpsessid rewrites.
Can this be avoided so that at no time is the sessionid visible assuming session cookies are allowed.
Also, where does IE 6.0 write session cookies to as I cant see them in temporary internet files unless they are in idex.dat.
Hope this makes sense. you can see what is happening at http://www.visualperception.net/gallery ... ellany.htm
linking to an image starts a session on that images page and any links from from that page have phpsessid appended. Subsequent image pages don't.
TIA
Can this be avoided so that at no time is the sessionid visible assuming session cookies are allowed.
Also, where does IE 6.0 write session cookies to as I cant see them in temporary internet files unless they are in idex.dat.
Hope this makes sense. you can see what is happening at http://www.visualperception.net/gallery ... ellany.htm
linking to an image starts a session on that images page and any links from from that page have phpsessid appended. Subsequent image pages don't.
TIA
- Chris Corbyn
- Breakbeat Nuttzer
- Posts: 13098
- Joined: Wed Mar 24, 2004 7:57 am
- Location: Melbourne, Australia
Ok, The session ID appended to the URL is normal. This happens in all setups by default. You may be able to avoid it using mod_rewrite for apache.
Your question about cookies in IE. They are stored in the temporary internet files. You can view them by going to tools -> Internet Options -> Settings -> Show files.
They are just plain text files.
Hope this helps.
Your question about cookies in IE. They are stored in the temporary internet files. You can view them by going to tools -> Internet Options -> Settings -> Show files.
They are just plain text files.
Hope this helps.
my ISP has mod rewrite installed on Apache and session.use_trans_sid = 1
its only the first page with a session_start() that it happens, subsequent pages it doesn't.
I checked for the cookie immediately after IE had requested to use one, but it wasn't there, which is why I wondered if session cookies go into index.dat which is in the windows web cache folder.
its only the first page with a session_start() that it happens, subsequent pages it doesn't.
I checked for the cookie immediately after IE had requested to use one, but it wasn't there, which is why I wondered if session cookies go into index.dat which is in the windows web cache folder.
- SystemWisdom
- Forum Commoner
- Posts: 69
- Joined: Sat Mar 26, 2005 5:54 pm
- Location: A Canadian South of the 49th Parallel
You can force sessions to use cookies:
The first will disable the addition of session IDs to internal URLs, the second will remove support for passing session IDs in URLs.
Code: Select all
php_flag session.use_trans_sid off
php_flag session.use_only_cookies onOK, now I'm confused. I thought that session cookies were stored on the web server. Infact I know they are cos I've got Apache installed locally and when testing locally I can see them. My next assumption is that the sessionid is passed in the http headers when you receive a page in your browser from the web server. However I'm not quite sure this assumption is correct because if I switch session cookies off in IE then sessionid gets appended to urls.
So am I now correct in thinking that a;) session cookies at the clients browser just contain the sessionid (and not the session variables), and b;) client browser session cookies must be enabled if sessionid's are not to be appended to link url's and c;) sessionid is sent as a separate cookie from the web page which is why session cookies must be enabled at the clients browser if sessionid's are not to be appended to links in the page.
tia
So am I now correct in thinking that a;) session cookies at the clients browser just contain the sessionid (and not the session variables), and b;) client browser session cookies must be enabled if sessionid's are not to be appended to link url's and c;) sessionid is sent as a separate cookie from the web page which is why session cookies must be enabled at the clients browser if sessionid's are not to be appended to links in the page.
tia
Sessions cookies are always stored in the user's PC.
All cookies are stored in the user's PC - thats what cookies are all about.
If cookies are disabled then phpsessid gets appended to the url.
BTW, an IE specific issue - when you destroy your session, your session id STILL remains in the cookie in Temporary Internet Files. So next time you run a script calling session_start() you'll find the EXACT session id being used because it still remains in your cookie.
The last line clears all cookies of that session id - including the session id itself.
All cookies are stored in the user's PC - thats what cookies are all about.
If cookies are disabled then phpsessid gets appended to the url.
BTW, an IE specific issue - when you destroy your session, your session id STILL remains in the cookie in Temporary Internet Files. So next time you run a script calling session_start() you'll find the EXACT session id being used because it still remains in your cookie.
Code: Select all
session_unset();
$_SESSION = array();
session_destroy();
setcookie(session_name(),"",0,"/");Hmmmmm....
If you switch off cookies in IE including session cookies then its still possible to maintain state with session id and session variables.
So no cookies but session variables exist. Perhaps you would like to tell us where they get saved.
The answer of course, is on the server. That is why anyone else who gets hold of your session id can access them. If they were stored on the users machine then no one else could access them(or at least much more difficult). I'm talking SESSION cookies here and NOT common or garden cookies. There is a difference.
If you have PHP installed locally on your system then if it has been configured correctly you will have a directory called something like SESS, probably, in your root directory, where the server session cookies are stored. Have a look, you might be surprised!
If you switch off cookies in IE including session cookies then its still possible to maintain state with session id and session variables.
So no cookies but session variables exist. Perhaps you would like to tell us where they get saved.
The answer of course, is on the server. That is why anyone else who gets hold of your session id can access them. If they were stored on the users machine then no one else could access them(or at least much more difficult). I'm talking SESSION cookies here and NOT common or garden cookies. There is a difference.
If you have PHP installed locally on your system then if it has been configured correctly you will have a directory called something like SESS, probably, in your root directory, where the server session cookies are stored. Have a look, you might be surprised!
- Chris Corbyn
- Breakbeat Nuttzer
- Posts: 13098
- Joined: Wed Mar 24, 2004 7:57 am
- Location: Melbourne, Australia
You're right and wrong at the same time.
There's cookies and there's "session data". Different things.
Cookies -> On the client machine
Session data -> On the server
The server contains a directory for storing session data (you can even save that data into a database).
Having sessions with cookies enabled in php.ini simply means that cookies are used too. Turn on the feature to ask before accepting cookies in IE and you'll see the prompt when you open a web page with sessions.
There's cookies and there's "session data". Different things.
Cookies -> On the client machine
Session data -> On the server
The server contains a directory for storing session data (you can even save that data into a database).
Having sessions with cookies enabled in php.ini simply means that cookies are used too. Turn on the feature to ask before accepting cookies in IE and you'll see the prompt when you open a web page with sessions.
- Chris Corbyn
- Breakbeat Nuttzer
- Posts: 13098
- Joined: Wed Mar 24, 2004 7:57 am
- Location: Melbourne, Australia