Page 1 of 1

Question about session handling from page to page

Posted: Mon May 19, 2008 4:46 pm
by Stanly22
Greetings!

I have a quick question about Session handling and would like some opinions of those who are smarter than me.

Generally, I create all internal site links with a long tail using SID so the user doesn't lose his session (aka, his shopping cart). An example of the code would be:

Code: Select all

print("<a href='faq.php?".SID."'>FAQ</a>
And the output would be something like this:
Sometimes this shows up in the browser url and sometimes it doesn't.

Of course this isn't SEO friendly. I have noticed that in the past when I have forgotten to add the SID to the end of the URL, the session still carried over. The cart did not empty.

So, my question is, do I need to do this? Can I take all of the URL SIDs off of my links and still keep sessions from page to page? Does anyone have a more efficient way to do this? I want to clean up the site and make it SEO friendly; I am open to any suggestions. Thanks in advance!

Re: Question about session handling from page to page

Posted: Mon May 19, 2008 4:56 pm
by VladSun
SID can be stored at client-side in a session cookie - that's a cookie which expires when the browser is closed. That's the most popular page-to-page SID passing. (session.use_cookies in php.ini)
Passing SID through URL is even dangerous - a user could expose his SID by using this URL in public places like forums. Also, it's a little bit more secure to set session.cookie_httponly on in your php.ini.

Re: Question about session handling from page to page

Posted: Mon May 19, 2008 5:02 pm
by Stanly22
That sounds better. Do I just get the users SID from the server and write it as a cookie on their machine? Then check the cookie on each page view, if it is assigned then use it for that page view?

Re: Question about session handling from page to page

Posted: Mon May 19, 2008 5:24 pm
by VladSun
Stanly22 wrote:That sounds better. Do I just get the users SID from the server and write it as a cookie on their machine? Then check the cookie on each page view, if it is assigned then use it for that page view?
When session.use_cookies=1 in php.ini all of this is done automatically when session_start() is called ;)
Also, you may enable session.use_only_cookies and disable session.use_trans_sid in your php.ini to ensure that only cookie based SIDs are used.

Re: Question about session handling from page to page

Posted: Tue May 20, 2008 1:51 pm
by Stanly22
Sweet! I really appreciate your help. So, just to double check... if I set session.use_cookies=1 and call session_start() at the top of all my pages (which I already do) then I can get rid of my explicit SID at the end of the URLs?

Re: Question about session handling from page to page

Posted: Tue May 20, 2008 2:05 pm
by VladSun
Yes :)