Page 1 of 3

Sessions' URL or Cookies

Posted: Wed Mar 28, 2007 8:15 am
by user___
Hi guys,
I have read that it is more secure to use cookies instead of sessions' URL requests. My question has to do iwth the very coding of that. I do not want you create my codes but I want to know what's the logic and if there is a tutorial on that online.
Thank you, guys.

Posted: Wed Mar 28, 2007 8:39 am
by feyd
There's no real additional logic required. PHP has settings to switch which one will be used and whether both are used initially. It's all handled for you.

Reply

Posted: Wed Mar 28, 2007 8:59 am
by user___
If I got it, the only thing I have to do to use cookies is to set the .ini file?

Posted: Wed Mar 28, 2007 9:59 am
by s.dot
If you only want to use session cookies.. in your php.ini file, set session.use_cookies to 1, and session.use_only_cookies to 1.

This should prevent them being passed through the URL.

Reply

Posted: Wed Mar 28, 2007 10:30 am
by user___
No, it does not work. After I set it I got empty arrays. After that when I set it as it is in default it works.

Reply

Posted: Wed Mar 28, 2007 11:14 am
by user___
Hi guys,
No answer so far. I have found that it is in the very Php configurtation. If someone has this part of their php cinfiguratations,I would be hapy to see it.

Posted: Wed Mar 28, 2007 12:08 pm
by RobertGonzalez
What are trying to accomplish? If you are trying to force the use of cookie based sessions only, you are going to be shooting yourself in the foot. Some people set their browsers to not accept cookies. In that case, anyone using your script would not be able to get past a single page in the session because the URL parameter for session management is turned off. Why do you want to do this?

Reply

Posted: Wed Mar 28, 2007 1:37 pm
by user___
I had not wanted to do so but after I have read an article which says that the-most secure solution is to use sessions with cookies(It was not said whether to use them only with cookies but this is not what I am trying to do(To use only cookies because of the reasons you listed above.).). I am trying to accomplish something not so hard but still unaccomplishable(I do not know why?). I want to create a log in script, then redirect a user to the logged page(The page which uses sessions), and then while they are browsing the logged pages, a function to be called permanently which checks whether the user is authanticated. I am still trying to create this redirection but although I tried anything and even this:

Code: Select all

session_start();
session_regenerate_id();
$_SESSION['username']="username";
session_write_close();
header("Location:...");
exit();
I still get an empty array. The only way it works is when instead of redirection set a link and then it works(BTW:On my Server on the Internet it runs only when I do not use full URLs in the header("Location:log_in.php");).

I want to accomplish that.

Re: Reply

Posted: Wed Mar 28, 2007 1:59 pm
by RobertGonzalez
user___ wrote:I want to create a log in script, then redirect a user to the logged page(The page which uses sessions), and then while they are browsing the logged pages, a function to be called permanently which checks whether the user is authanticated.
Lets comment code this thing, shall we?

Code: Select all

<?php
// start the session
session_start();
// check authentication
reject_unauthorized_user();
// If we are here, then we know that we are ok...
?>
Now, on the other pages, they have to call that function too. Here is some quick code for that function...

Code: Select all

<?php
function reject_unauthorized_user()
{
    if (!isset($_SESSION['session_user_auth']) || $_SESSION['session_user_auth'] === false)
    {
        header('Location: http://www.mysite.com/login.php');
        exit;
    }

    return;
}
?>
The next thing to do is code the login routine, which is where all the session data is set up (after a successful login, of course ;) ).

Reply

Posted: Wed Mar 28, 2007 2:27 pm
by user___
Thank you for your response Everah, but we seem to have misunderstood each other to some extent. I have a log in form which(when submitted) is sent to redirection .php file which redirects a user to the pages but here the things come. After a successful validation(as you have described) redirect else display the Log in form but in the redirection file where I set sessions and then redirect a user to the secured pages I have my sessions unavailable on the secured page. What I mean is that instead of setting sessions, redirect a user, and then have them available on the secured page (sessions were initiated in the redirection file) I have an empty array on the secured page.

Posted: Wed Mar 28, 2007 2:49 pm
by RobertGonzalez
Ok, my question now is you are gathering information and validating on one page, redirecting to another page where session values are set, then redirecting again? Is that the process you are following?

Reply

Posted: Wed Mar 28, 2007 3:12 pm
by user___
No, it is not exactly what I do.
gathering information and validating on one page, redirecting to another page where session values are set, then redirecting again? I
. Everything is true until the comma and I set the session in the redirection file. An example of what I am doing is that forum. You log in, validate(I suppose the validation is in the redirection file.(I am not sure whether this is the case.).), and redirect.[/syntax]

Posted: Wed Mar 28, 2007 3:14 pm
by RobertGonzalez
Maybe you can post some code. I am really confused with the path this takes. It may be easier if we can see what you are doing. I am expecting to see two files then, correct?

Reply

Posted: Wed Mar 28, 2007 3:40 pm
by user___
Log in is a an html form which has a username and a password field so I will post only the .php ones.
redirect.php:

Code: Select all

<?php

//Sessions

   //Session start
   session_start();

   //Regenerate id
   session_regenerate_id();

   //Set session vars
   $_SESSION['username']  = $_POST['username'];
   $_SESSION['password'] =  $_POST['password'];
   
   //Disable session writing
   session_write_close();

   //With full URLs does not work too
   header("Location:secured.php?show_menu=1");//show_menu is just a get var used for the interface. I have tested with and without it
   header("Location:http://www.mysite.com/secured.php?show_menu=1");
 ?>
secured.php:

Code: Select all

<?php
 //Session start
   session_start();

//Array();
print_r($_SESSION);
?>
I have simplified thesescripts as much as I could because of their length.

Posted: Wed Mar 28, 2007 3:44 pm
by RobertGonzalez