[CLUE-Tech] PHP and Session Cookies
Jed S. Baer
thag at frii.com
Fri Oct 25 12:57:14 MDT 2002
Hi Folks.
I'm having a little trouble with session validation and logins.
Based on my reading at php.net and elsewhere, the strong implication is
that if somebody isn't accepting cookies, and enable-trans-sid is turned
on, then session tracking will "automatically" be done by embedding the
session ID in the URL. Apparently, up at phpwebhosting, enable-trans-sid
is turned on, but the URL munging isn't working, or is working only
intermittently. Or, it also requires coding changes to embed the ID in
links on the page (which isn't explicitly stated, but I can infer it),
which is no longer "automatic", in my book anyway.
The various authentication scripts I've found at Zend, phpbuilder, etc.
have varying degrees of robustness, but they all just assume that session
tracking is working, by whatever method.
There is apparently another problem, which, because it's intermittent, I
can't quite get a handle on. Since the whole site is geared around POST
method, there are places where I check for $REQUEST_METHOD != 'POST' as a
hedge against hacking by URL munging. But, assuming the sessionID in the
URL, then form invocation has to look like
<form action="form.php?SID=09u4j3498t9348nu9384u" method="POST">
So, now I have both GET and POST methods being used, and I'm guessing that
in that case, either "GET" takes priority in $REQUEST_METHOD over "POST",
or maybe they're both in there, i.e. "GET,POST" (I can check this myself
easily enough).
My reaction to all this is to just give up and have things not work at all
without cookies. That brings up the other question of what is the earliest
point in time I can know that cookies are disabled. Since I know of no
"feedback" from the browser back to the web server that says, "cookie
denied", then there's no way I can discover (without JavaScript) whether
cookies work, until the user hits the submit button on the login form (it
starts the session), and the script thus invoked can check for whether the
cookie is there. Any suggestions for earlier methods (the site doesn't
require sessions, unless the user logs in for a specific area of the
site)?
TIA
jed
--
We're frogs who are getting boiled in a pot full of single-character
morphemes, and we don't notice. - Larry Wall; Perl6, Apocalypse 5
More information about the clue-tech
mailing list