Page 1 of 1
[SOLVED]How to get SESSION vars from PHPSESSID w/o a cookie?
Posted: Mon Feb 05, 2007 12:13 am
by abeall
I'm working on a project in which I'm facing a situation where I will not be able to send cookie data, but I can send the PHPSESSIONID(as returned by JS document.cookie) via a querystring, like this:
script.php?sessid=u92yh54t7356953h6957
The question is, how would I retrieve $_SESSION variables at that point? Since the cookie has not been sent, it seems $_SESSION would not be registered, but I would have the valid session id, so how to I access that session object?
Posted: Mon Feb 05, 2007 1:50 am
by kaszu
Re: How to get SESSION vars from PHPSESSID without a cookie?
Posted: Mon Feb 05, 2007 2:07 am
by alex.barylski
abeall wrote:I'm working on a project in which I'm facing a situation where I will not be able to send cookie data, but I can send the PHPSESSIONID(as returned by JS document.cookie) via a querystring, like this:
script.php?sessid=u92yh54t7356953h6957
The question is, how would I retrieve $_SESSION variables at that point? Since the cookie has not been sent, it seems $_SESSION would not be registered, but I would have the valid session id, so how to I access that session object?
Heh???
You can't send cookie data but you can send cookie identifiers? In this case PHPSESSIONID?
Why are you doing this - the only thing I can think of is your trying to communicate across seperate domains? In which case if your domains are hosted on seperate servers - your screwed.
I believe you can pass the SESSION ID's over to a seperate domain, if their both hosted on the same shared server, but thats it...
What is it exactly, you are trying to accomplish?
Posted: Mon Feb 05, 2007 2:15 am
by abeall
Thanks. Interestingly, I have both those pages open in tabs, I guess I'm on the right track. I'm not sure I completely get how session_id() works, but I tried something simple, like this:
Code: Select all
// authenticate via $_SESSION, or $_GET['sessid'] if provided
if($_GET['sessid']){
session_id($_GET['sessid']);
}
session_start();
$loggedIn = $_SESSION['pb_loggedIn'];
if($loggedIn) {
...
And it seems to do what I want. I can have an unauthenticated/logged in browser(in my test, FireFox), then grab the session ID from an authenticated browser(IE7), and insert it in the query, and I get authenticated results. Thanks!
Posted: Mon Feb 05, 2007 2:21 am
by abeall
Why are you doing this - the only thing I can think of is your trying to communicate across seperate domains? In which case if your domains are hosted on seperate servers - your screwed.
An interesting question. I'm using Flash 8 to upload files via POST data. Sadly, while Flash 8 will send cookie data with other HTTP calls, it seems to have inconsistent results with the particular upload method. All my tests have successfully sent cookie data with the upload method(testing FF and IE7, default security settings), however there are many confirmed results from other Flash users that cookies aren't successfully sent with the Flash upload method(though no official word from Adobe AFAIK), so I'm hesitant to rely on it.
As a result, I'm retrieving PHPSESSIONID via JavaScript(document.cookie), and appending it to the URL which is the PHP script to handle the uploaded file. Ugly as sin, I know...
Posted: Mon Feb 05, 2007 2:40 am
by alex.barylski
Hmmmm...ok...
I believe that relying on PHPSESSIONID inside your Javascript...is a bad idea...session_id() returns the name of the session (in this case PHPSESSIONID) but it can be changed via the session_id() function as well. So if you can pass the results of session_id() to your javascript that might work better - if my assumption is accurate

Posted: Mon Feb 05, 2007 9:07 am
by feyd
Hockey wrote:Hmmmm...ok...
I believe that relying on PHPSESSIONID inside your Javascript...is a bad idea...session_id() returns the name of the session (in this case PHPSESSIONID) but it can be changed via the session_id() function as well. So if you can pass the results of session_id() to your javascript that might work better - if my assumption is accurate

Hockey's referring to session_name(). session_id() will return the ID number.

Posted: Mon Feb 05, 2007 11:25 am
by abeall
feyd wrote:Hockey wrote:Hmmmm...ok...
I believe that relying on PHPSESSIONID inside your Javascript...is a bad idea...session_id() returns the name of the session (in this case PHPSESSIONID) but it can be changed via the session_id() function as well. So if you can pass the results of session_id() to your javascript that might work better - if my assumption is accurate

Hockey's referring to session_name(). session_id() will return the ID number.

Better yet, since the page is PHP I can skip the JS and just embed the session ID directly into Flash(using session_name() I guess) with Flash's embed/object tags, since the problem is only in Flash's HTTP request, but the page itself is generated by sessioned PHP. Thanks both.