need help on session handling

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
weilich
Forum Newbie
Posts: 4
Joined: Thu Oct 24, 2002 10:19 am

need help on session handling

Post by weilich »

I use session handling in my PHP programs. They work fine on the browsers which support cookies. But if the cookie support is disabled, they just do not work. The session variables are empty.

According to my PHP book, session handling should work in that case. Does anybody know what is wrong? Thanks.
mahara
Forum Commoner
Posts: 37
Joined: Wed Nov 13, 2002 1:08 am
Location: Bandung, Jawa Barat, Indonesia

Try this!

Post by mahara »

Have you checked session.use_trans_id setting in your php.ini?

If you want session still run without cookies support, its setting should be like this.

Code: Select all

session.use_trans_id = 1
But this setting has more additional risks than when it's disabled because if a session can't use cookies, PHP will send SID constant through url. It's not safe because anyone can hijack the session, eg: by bookmarking the url.

Anyway, you still can use it.

Please refer to PHP doumentation at http://www.php.net for more information on session handling. :idea:
User avatar
musashi
Forum Commoner
Posts: 39
Joined: Tue Jul 23, 2002 12:51 pm
Location: Santa Cruz - CA

Highjacking sessions

Post by musashi »

Please understand that sessions are virtually never secure. A session id must be propagated in some manner (cookies or URL). The URL is the obvious one for gaining access. If anyone catches the URL, they can get access to the session data. But a cookie runs the same risk. Software either on the user computer, or through creative scripting in a hidden popup window, can get access to cookies. This means that the session id, as it is the link to identification, is not secure. Which means the session data is not secure, if there is no extra steps taken.

To semi-reliably secure the data transmission, some level of encryption will need to be used. You also need to kill a session, and the session file (or wherever it is stored. NOTE if it is being saved in the /tmp dir of the server it is most likely NOT secure. Anyone on the system can usually access and read the tmp dir files).

Another step in semi-reliable security is to lock an ip address to a session. If the session data is requested from a different ip, you can deny transmission (and possibly notify the real user). This, however, is not possible if the ip of the user is not static.
Post Reply