Sessions' URL or Cookies
Moderator: General Moderators
Sessions' URL or Cookies
Hi guys,
I have read that it is more secure to use cookies instead of sessions' URL requests. My question has to do iwth the very coding of that. I do not want you create my codes but I want to know what's the logic and if there is a tutorial on that online.
Thank you, guys.
I have read that it is more secure to use cookies instead of sessions' URL requests. My question has to do iwth the very coding of that. I do not want you create my codes but I want to know what's the logic and if there is a tutorial on that online.
Thank you, guys.
Last edited by user___ on Wed Mar 28, 2007 9:24 am, edited 1 time in total.
If you only want to use session cookies.. in your php.ini file, set session.use_cookies to 1, and session.use_only_cookies to 1.
This should prevent them being passed through the URL.
This should prevent them being passed through the URL.
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
What are trying to accomplish? If you are trying to force the use of cookie based sessions only, you are going to be shooting yourself in the foot. Some people set their browsers to not accept cookies. In that case, anyone using your script would not be able to get past a single page in the session because the URL parameter for session management is turned off. Why do you want to do this?
Reply
I had not wanted to do so but after I have read an article which says that the-most secure solution is to use sessions with cookies(It was not said whether to use them only with cookies but this is not what I am trying to do(To use only cookies because of the reasons you listed above.).). I am trying to accomplish something not so hard but still unaccomplishable(I do not know why?). I want to create a log in script, then redirect a user to the logged page(The page which uses sessions), and then while they are browsing the logged pages, a function to be called permanently which checks whether the user is authanticated. I am still trying to create this redirection but although I tried anything and even this:
I still get an empty array. The only way it works is when instead of redirection set a link and then it works(BTW:On my Server on the Internet it runs only when I do not use full URLs in the header("Location:log_in.php");).
I want to accomplish that.
Code: Select all
session_start();
session_regenerate_id();
$_SESSION['username']="username";
session_write_close();
header("Location:...");
exit();I want to accomplish that.
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
Re: Reply
Lets comment code this thing, shall we?user___ wrote:I want to create a log in script, then redirect a user to the logged page(The page which uses sessions), and then while they are browsing the logged pages, a function to be called permanently which checks whether the user is authanticated.
Code: Select all
<?php
// start the session
session_start();
// check authentication
reject_unauthorized_user();
// If we are here, then we know that we are ok...
?>Code: Select all
<?php
function reject_unauthorized_user()
{
if (!isset($_SESSION['session_user_auth']) || $_SESSION['session_user_auth'] === false)
{
header('Location: http://www.mysite.com/login.php');
exit;
}
return;
}
?>Reply
Thank you for your response Everah, but we seem to have misunderstood each other to some extent. I have a log in form which(when submitted) is sent to redirection .php file which redirects a user to the pages but here the things come. After a successful validation(as you have described) redirect else display the Log in form but in the redirection file where I set sessions and then redirect a user to the secured pages I have my sessions unavailable on the secured page. What I mean is that instead of setting sessions, redirect a user, and then have them available on the secured page (sessions were initiated in the redirection file) I have an empty array on the secured page.
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
Reply
No, it is not exactly what I do.
. Everything is true until the comma and I set the session in the redirection file. An example of what I am doing is that forum. You log in, validate(I suppose the validation is in the redirection file.(I am not sure whether this is the case.).), and redirect.[/syntax]gathering information and validating on one page, redirecting to another page where session values are set, then redirecting again? I
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
Reply
Log in is a an html form which has a username and a password field so I will post only the .php ones.
redirect.php:
secured.php:
I have simplified thesescripts as much as I could because of their length.
redirect.php:
Code: Select all
<?php
//Sessions
//Session start
session_start();
//Regenerate id
session_regenerate_id();
//Set session vars
$_SESSION['username'] = $_POST['username'];
$_SESSION['password'] = $_POST['password'];
//Disable session writing
session_write_close();
//With full URLs does not work too
header("Location:secured.php?show_menu=1");//show_menu is just a get var used for the interface. I have tested with and without it
header("Location:http://www.mysite.com/secured.php?show_menu=1");
?>Code: Select all
<?php
//Session start
session_start();
//Array();
print_r($_SESSION);
?>- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA