[CLUE-Tech] Solved -> PHP Sessions and Cookies: Brain Cramp

Jed S. Baer thag at frii.com
Sun Oct 13 14:32:35 MDT 2002 

On Sun, 13 Oct 2002 09:42:25 -0600
Sean LeBlanc <seanleblanc at americanisp.net> wrote:

> On 10-12 22:38, Jed S. Baer wrote:
> <snip>
> 
> > So, reloading this thing continually, I get a different session id
> > each time, and, obviously, $thecnt = 1. The burgers/fries cookie does
> > get set.
>                                                               ^^^^
> You mean doesn't, right? I wonder if this has anything to do with a
> fully-qualified domain? I see you are using localhost - don't cookies
> use the domain (along with an optional path) to store/retrieve? What
> would it do with "localhost"? Just a guess.

Well, it turns out it might have something to do with a FQDN. Galeon will
accept cookies with a specified domain of 127.0.0.1, for example, and they
work with http://127.0.0.1/ URLs. that doesn't necessarily mean an IP
address is seen as such, just that things match up when compared.

The session cookie is now being set. Galeon doesn't set any cookies having
'localhost' as the domain, although that's not exactly intuitive for me
anywyay. The Galeon cookie manager puts 'localhost' in the column for
"site" in the cookie manager display. So, using ethereal (Thanks Dave) I
can now see the session cookie being sent/returned.

The solution wound up being something I ran across, just by process of
elimination.

In the php.ini file:

; Check HTTP Referer to invalidate externally stored URLs containing ids.
session.referer_check = On

Now, I don't know what was in my head when I set that to "On" From the
php.net website:

"session.referer_check contains the substring you want to check each HTTP
Referer for. If the Referer was sent by the client and the substring was
not found, the embedded session id will be marked as invalid. Defaults to
the empty string."

Both of these seem to me to imply "URL?SID=0938u4348fj348j3u", i.e. the
session id is contained in the URL.

But, setting session.referer_check to nothing makes things all work.

jed
-- 
We're frogs who are getting boiled in a pot full of single-character
morphemes, and we don't notice. - Larry Wall; Perl6, Apocalypse 5

More information about the clue-tech mailing list