Sessions' URL or Cookies

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

user___
Forum Contributor
Posts: 297
Joined: Tue Dec 05, 2006 3:05 pm

Sessions' URL or Cookies

Post by user___ »

Hi guys,
I have read that it is more secure to use cookies instead of sessions' URL requests. My question has to do iwth the very coding of that. I do not want you create my codes but I want to know what's the logic and if there is a tutorial on that online.
Thank you, guys.
Last edited by user___ on Wed Mar 28, 2007 9:24 am, edited 1 time in total.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

There's no real additional logic required. PHP has settings to switch which one will be used and whether both are used initially. It's all handled for you.
user___
Forum Contributor
Posts: 297
Joined: Tue Dec 05, 2006 3:05 pm

Reply

Post by user___ »

If I got it, the only thing I have to do to use cookies is to set the .ini file?
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

If you only want to use session cookies.. in your php.ini file, set session.use_cookies to 1, and session.use_only_cookies to 1.

This should prevent them being passed through the URL.
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
user___
Forum Contributor
Posts: 297
Joined: Tue Dec 05, 2006 3:05 pm

Reply

Post by user___ »

No, it does not work. After I set it I got empty arrays. After that when I set it as it is in default it works.
user___
Forum Contributor
Posts: 297
Joined: Tue Dec 05, 2006 3:05 pm

Reply

Post by user___ »

Hi guys,
No answer so far. I have found that it is in the very Php configurtation. If someone has this part of their php cinfiguratations,I would be hapy to see it.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

What are trying to accomplish? If you are trying to force the use of cookie based sessions only, you are going to be shooting yourself in the foot. Some people set their browsers to not accept cookies. In that case, anyone using your script would not be able to get past a single page in the session because the URL parameter for session management is turned off. Why do you want to do this?
user___
Forum Contributor
Posts: 297
Joined: Tue Dec 05, 2006 3:05 pm

Reply

Post by user___ »

I had not wanted to do so but after I have read an article which says that the-most secure solution is to use sessions with cookies(It was not said whether to use them only with cookies but this is not what I am trying to do(To use only cookies because of the reasons you listed above.).). I am trying to accomplish something not so hard but still unaccomplishable(I do not know why?). I want to create a log in script, then redirect a user to the logged page(The page which uses sessions), and then while they are browsing the logged pages, a function to be called permanently which checks whether the user is authanticated. I am still trying to create this redirection but although I tried anything and even this:

Code: Select all

session_start();
session_regenerate_id();
$_SESSION['username']="username";
session_write_close();
header("Location:...");
exit();
I still get an empty array. The only way it works is when instead of redirection set a link and then it works(BTW:On my Server on the Internet it runs only when I do not use full URLs in the header("Location:log_in.php");).

I want to accomplish that.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Re: Reply

Post by RobertGonzalez »

user___ wrote:I want to create a log in script, then redirect a user to the logged page(The page which uses sessions), and then while they are browsing the logged pages, a function to be called permanently which checks whether the user is authanticated.
Lets comment code this thing, shall we?

Code: Select all

<?php
// start the session
session_start();
// check authentication
reject_unauthorized_user();
// If we are here, then we know that we are ok...
?>
Now, on the other pages, they have to call that function too. Here is some quick code for that function...

Code: Select all

<?php
function reject_unauthorized_user()
{
    if (!isset($_SESSION['session_user_auth']) || $_SESSION['session_user_auth'] === false)
    {
        header('Location: http://www.mysite.com/login.php');
        exit;
    }

    return;
}
?>
The next thing to do is code the login routine, which is where all the session data is set up (after a successful login, of course ;) ).
user___
Forum Contributor
Posts: 297
Joined: Tue Dec 05, 2006 3:05 pm

Reply

Post by user___ »

Thank you for your response Everah, but we seem to have misunderstood each other to some extent. I have a log in form which(when submitted) is sent to redirection .php file which redirects a user to the pages but here the things come. After a successful validation(as you have described) redirect else display the Log in form but in the redirection file where I set sessions and then redirect a user to the secured pages I have my sessions unavailable on the secured page. What I mean is that instead of setting sessions, redirect a user, and then have them available on the secured page (sessions were initiated in the redirection file) I have an empty array on the secured page.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Ok, my question now is you are gathering information and validating on one page, redirecting to another page where session values are set, then redirecting again? Is that the process you are following?
user___
Forum Contributor
Posts: 297
Joined: Tue Dec 05, 2006 3:05 pm

Reply

Post by user___ »

No, it is not exactly what I do.
gathering information and validating on one page, redirecting to another page where session values are set, then redirecting again? I
. Everything is true until the comma and I set the session in the redirection file. An example of what I am doing is that forum. You log in, validate(I suppose the validation is in the redirection file.(I am not sure whether this is the case.).), and redirect.[/syntax]
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Maybe you can post some code. I am really confused with the path this takes. It may be easier if we can see what you are doing. I am expecting to see two files then, correct?
user___
Forum Contributor
Posts: 297
Joined: Tue Dec 05, 2006 3:05 pm

Reply

Post by user___ »

Log in is a an html form which has a username and a password field so I will post only the .php ones.
redirect.php:

Code: Select all

<?php

//Sessions

   //Session start
   session_start();

   //Regenerate id
   session_regenerate_id();

   //Set session vars
   $_SESSION['username']  = $_POST['username'];
   $_SESSION['password'] =  $_POST['password'];
   
   //Disable session writing
   session_write_close();

   //With full URLs does not work too
   header("Location:secured.php?show_menu=1");//show_menu is just a get var used for the interface. I have tested with and without it
   header("Location:http://www.mysite.com/secured.php?show_menu=1");
 ?>
secured.php:

Code: Select all

<?php
 //Session start
   session_start();

//Array();
print_r($_SESSION);
?>
I have simplified thesescripts as much as I could because of their length.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Post Reply