Question about session handling from page to page

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Stanly22
Forum Newbie
Posts: 3
Joined: Mon May 19, 2008 4:32 pm

Question about session handling from page to page

Post by Stanly22 »

Greetings!

I have a quick question about Session handling and would like some opinions of those who are smarter than me.

Generally, I create all internal site links with a long tail using SID so the user doesn't lose his session (aka, his shopping cart). An example of the code would be:

Code: Select all

print("<a href='faq.php?".SID."'>FAQ</a>
And the output would be something like this:
Sometimes this shows up in the browser url and sometimes it doesn't.

Of course this isn't SEO friendly. I have noticed that in the past when I have forgotten to add the SID to the end of the URL, the session still carried over. The cart did not empty.

So, my question is, do I need to do this? Can I take all of the URL SIDs off of my links and still keep sessions from page to page? Does anyone have a more efficient way to do this? I want to clean up the site and make it SEO friendly; I am open to any suggestions. Thanks in advance!
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Question about session handling from page to page

Post by VladSun »

SID can be stored at client-side in a session cookie - that's a cookie which expires when the browser is closed. That's the most popular page-to-page SID passing. (session.use_cookies in php.ini)
Passing SID through URL is even dangerous - a user could expose his SID by using this URL in public places like forums. Also, it's a little bit more secure to set session.cookie_httponly on in your php.ini.
There are 10 types of people in this world, those who understand binary and those who don't
Stanly22
Forum Newbie
Posts: 3
Joined: Mon May 19, 2008 4:32 pm

Re: Question about session handling from page to page

Post by Stanly22 »

That sounds better. Do I just get the users SID from the server and write it as a cookie on their machine? Then check the cookie on each page view, if it is assigned then use it for that page view?
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Question about session handling from page to page

Post by VladSun »

Stanly22 wrote:That sounds better. Do I just get the users SID from the server and write it as a cookie on their machine? Then check the cookie on each page view, if it is assigned then use it for that page view?
When session.use_cookies=1 in php.ini all of this is done automatically when session_start() is called ;)
Also, you may enable session.use_only_cookies and disable session.use_trans_sid in your php.ini to ensure that only cookie based SIDs are used.
There are 10 types of people in this world, those who understand binary and those who don't
Stanly22
Forum Newbie
Posts: 3
Joined: Mon May 19, 2008 4:32 pm

Re: Question about session handling from page to page

Post by Stanly22 »

Sweet! I really appreciate your help. So, just to double check... if I set session.use_cookies=1 and call session_start() at the top of all my pages (which I already do) then I can get rid of my explicit SID at the end of the URLs?
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Question about session handling from page to page

Post by VladSun »

Yes :)
There are 10 types of people in this world, those who understand binary and those who don't
Post Reply