[CLUE-Tech] PHP and Session Cookies
Mike Staver
staver at fimble.com
Fri Oct 25 13:11:28 MDT 2002
What browser are you using? I have found internet explorer on any platform
(version 5.0 and 5.5) to not work at all with php/cookies. However,
version 5.5 sp2 or whatever and 6.0 seem to work fine....
On Fri, 25 Oct 2002, Jed S. Baer wrote:
> Hi Folks.
>
> I'm having a little trouble with session validation and logins.
>
> Based on my reading at php.net and elsewhere, the strong implication is
> that if somebody isn't accepting cookies, and enable-trans-sid is turned
> on, then session tracking will "automatically" be done by embedding the
> session ID in the URL. Apparently, up at phpwebhosting, enable-trans-sid
> is turned on, but the URL munging isn't working, or is working only
> intermittently. Or, it also requires coding changes to embed the ID in
> links on the page (which isn't explicitly stated, but I can infer it),
> which is no longer "automatic", in my book anyway.
>
> The various authentication scripts I've found at Zend, phpbuilder, etc.
> have varying degrees of robustness, but they all just assume that session
> tracking is working, by whatever method.
>
> There is apparently another problem, which, because it's intermittent, I
> can't quite get a handle on. Since the whole site is geared around POST
> method, there are places where I check for $REQUEST_METHOD != 'POST' as a
> hedge against hacking by URL munging. But, assuming the sessionID in the
> URL, then form invocation has to look like
>
> <form action="form.php?SID=09u4j3498t9348nu9384u" method="POST">
>
> So, now I have both GET and POST methods being used, and I'm guessing that
> in that case, either "GET" takes priority in $REQUEST_METHOD over "POST",
> or maybe they're both in there, i.e. "GET,POST" (I can check this myself
> easily enough).
>
> My reaction to all this is to just give up and have things not work at all
> without cookies. That brings up the other question of what is the earliest
> point in time I can know that cookies are disabled. Since I know of no
> "feedback" from the browser back to the web server that says, "cookie
> denied", then there's no way I can discover (without JavaScript) whether
> cookies work, until the user hits the submit button on the login form (it
> starts the session), and the script thus invoked can check for whether the
> cookie is there. Any suggestions for earlier methods (the site doesn't
> require sessions, unless the user logs in for a specific area of the
> site)?
>
> TIA
> jed
>
--
-Mike Staver
staver at fimble.com
mstaver at globaltaxnetwork.com
http://www.fimble.com/staver
More information about the clue-tech
mailing list