Session in COOKIE or GET
Moderator: General Moderators
Session in COOKIE or GET
Hi
When using Sessions, I normally did $PHPSESSID but when register_globals is Off then I got to use $_COOKIE['PHPSESSID']
What if cookies are off and its sent in the url, where I would need to access it as $_GET['PHPSESSID']
I would to so something like
$PHPSESSID = $_COOKIE['PHPSESSID'] | $_GET['PHPSESSID'];
Is that possible ?
Thanks
When using Sessions, I normally did $PHPSESSID but when register_globals is Off then I got to use $_COOKIE['PHPSESSID']
What if cookies are off and its sent in the url, where I would need to access it as $_GET['PHPSESSID']
I would to so something like
$PHPSESSID = $_COOKIE['PHPSESSID'] | $_GET['PHPSESSID'];
Is that possible ?
Thanks
$PHPSESSID = $_COOKIE['PHPSESSID'] | $_GET['PHPSESSID']; obviously doesnt work in PHP - but I was hoping some alternative to achieve this line.
How would I know if PHPSESSID (assuming session.name is PHPSESSID) is coming from COOKIE or GET ?
$_REQUEST['PHPSESSID'] does work but I still cant figure out if its from COOKIE or GET (without using isset($_COOKIE['PHPSESSID']) and isset($_GET['PHPSESSID']))
How would I know if PHPSESSID (assuming session.name is PHPSESSID) is coming from COOKIE or GET ?
$_REQUEST['PHPSESSID'] does work but I still cant figure out if its from COOKIE or GET (without using isset($_COOKIE['PHPSESSID']) and isset($_GET['PHPSESSID']))
Last edited by anjanesh on Thu Dec 22, 2005 11:52 am, edited 1 time in total.
If register globals is off, try using $HTTP_SESSION_VARS instead of $_SESSION.
If you're worried about variable poisoning:
eg. from the manual ( http://php.net/manual/en/security.globals.php ):
If you're worried about variable poisoning:
eg. from the manual ( http://php.net/manual/en/security.globals.php ):
Code: Select all
<?php
if (isset($_COOKIE['MAGIC_COOKIE'])) {
// MAGIC_COOKIE comes from a cookie.
// Be sure to validate the cookie data!
} elseif (isset($_GET['MAGIC_COOKIE']) || isset($_POST['MAGIC_COOKIE'])) {
mail("admin@example.com", "Possible breakin attempt", $_SERVER['REMOTE_ADDR']);
echo "Security violation, admin has been alerted.";
exit;
} else {
// MAGIC_COOKIE isn't set through this REQUEST
}
?>I don't get the problem, who cares if it comes from the cookie or from the GET data,
anyways back on topic:
I usually use this handy function
http://us2.php.net/session_id
anyways back on topic:
I usually use this handy function
http://us2.php.net/session_id
Im using $_COOKIES[session_name()] in my code.jshpro2 wrote:I don't get the problem, who cares if it comes from the cookie or from the GET data
This assumes cookies is enabled on the client side.
What if one client has cookie disabled ? Automatically the session name would be sent across in $_GET right ? Because cookies are disabled.
In this case $_COOKIES[session_name()] will return undefined index.
*slaps forehead*
Gotcha now. I'd check against the cookie first because that's the way you normally want it to go.... then if that doesn't exist/isn't set, then extract get and parse it to make sure no XSS attack can be done.
A model similar to the code I posted above should work.
Gotcha now. I'd check against the cookie first because that's the way you normally want it to go.... then if that doesn't exist/isn't set, then extract get and parse it to make sure no XSS attack can be done.
A model similar to the code I posted above should work.
Thanks for your input.
Anyway, Im now thinking....this will be more work to check which super-global is sending the session name & id.
If you disable cookies and try logging into yahoo mail you'll get the msg :
The browser you're using refuses to sign in. (cookies rejected)
Guess this is not worth it ? Force users to switch on cookies ? Or is it worth coding to receive session data in either of the streams ? Y! giant hasnt atleast !
Anyway, Im now thinking....this will be more work to check which super-global is sending the session name & id.
If you disable cookies and try logging into yahoo mail you'll get the msg :
The browser you're using refuses to sign in. (cookies rejected)
Guess this is not worth it ? Force users to switch on cookies ? Or is it worth coding to receive session data in either of the streams ? Y! giant hasnt atleast !
- AKA Panama Jack
- Forum Regular
- Posts: 878
- Joined: Mon Nov 14, 2005 4:21 pm
Thumbs up there...Sami wrote:I recommend that.
I personally refuse to support people who don't allow my site to set cookies.
It's either allow it, or sorry, you're out of luck.
On our sites if you have disabled cookie support in your browser we don't care if you never come to the site. Sometimes people can be more than a little anal/paranoid when it comes to security.
- Maugrim_The_Reaper
- DevNet Master
- Posts: 2704
- Joined: Tue Nov 02, 2004 5:43 am
- Location: Ireland
I agree, I hate using GET sessids because the potential for some unknowing user to post a url complete with session id is obvious. If they are completely against cookies, and can't even be bothered to allow a domain specific list of cookies, then they shoudn't expect anything on the net to be capable of maintaining state between requests.
Personally I disable passing the session by GET - its a security risk to the user, and yes I'm a bit obsessive when it comes to security...
Personally I disable passing the session by GET - its a security risk to the user, and yes I'm a bit obsessive when it comes to security...
Under Sessions and security in PHP Manual
Do you encrypt session ids when not over SSL ?
Even 'cookies' can be listened to over network traffic.Second, a more active attacker might listen to your network traffic. If it is not encrypted, session ids will flow in plain text over the network.
Do you encrypt session ids when not over SSL ?