Page 1 of 1

What happens to SESSIONS when...

Posted: Wed Oct 17, 2007 6:48 am
by alex.barylski
Cookies are disabled and you are using mod_rewrite???

I just tried some ZF examples, like Magento Commerce...when cookies are disabled I cannot add products to a shopping cart.

I figured this might be the case because when cookies are disabled, SESSIONS are propagated via the URL by appending a &PHPSESSID=blahblah

So I tested this theory on ONE ZF application as I figured it would likely use mod_rewrite

Can anyone else test this to confirm??? Have you tried on other mod_rewrite applications with cookies disabled???

Just curious

Posted: Wed Oct 17, 2007 7:39 am
by s.dot
What is the connection between mod_rewrite rules and sessions? I can't seem to put the two together based on what you've said.

Do you mean, session ids can't be added onto the url's because of mod_rewrite rules?

Posted: Wed Oct 17, 2007 3:59 pm
by alex.barylski
scottayy wrote:What is the connection between mod_rewrite rules and sessions? I can't seem to put the two together based on what you've said.

Do you mean, session ids can't be added onto the url's because of mod_rewrite rules?
When cookies are disabled SESSION's propagate the SESSION ID via all URL's - yes. Therefore, you will loose the session on javascript generated links because the SID is inserted by using output buffering prior to sending to screen.

Not sure how it finds URL's whether it looks for href="" or whether it's more specifc...

If mod_rewrite is used and cookies are disabled, then URL propagation is required. When SESSION finds a href attribute which is SEO such as:

Code: Select all

href="/controller/action/value"
There is no way SESSION support could be aware mod_rewrite is being used so the above URL is appended with the SID like this:

Code: Select all

href="/controller/action/value&PHPSESSID=hdf84gf74bg8e4bfghe8fbfghf8ud..."
SESSION ID's are lost because I don't believe &PHPSESSID=xxx is parsed properly and therefore not stored in the appropriate GET variable. At least this is my theory. :P

When I tested this hunch - using a well known ZF application, sure as sh*t it failed as I expected it would.

I want to know whether this is common (well known) or an oversight most ignore - assuming cookies will always be available.

Posted: Wed Oct 17, 2007 4:15 pm
by RobertGonzalez
Mod_rewrite can be set to append a querystring (I believe with the QSA flag) so this should not be an issue.

Did you do a var_dump() of $_GET to see what is coming in the querystring?

Posted: Wed Oct 17, 2007 4:16 pm
by alex.barylski
Everah wrote:Mod_rewrite can be set to append a querystring (I believe with the QSA flag) so this should not be an issue.

Did you do a var_dump() of $_GET to see what is coming in the querystring?
Ahh good point. :)