Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 3 of 3
  1. #1
    New Coder
    Join Date
    Jun 2004
    Posts
    51
    Thanks
    0
    Thanked 0 Times in 0 Posts

    session variables with cookies switched off

    Hi,

    I've read on many sites that PHP sessions will work even when the user has cookies disabled but for some reason my scripts (included below) need cookies to be enabled. Can someone see why? Thanks.

    login.php
    PHP Code:
    <?php
    session_start
    ();
     if (isset(
    $_POST["user"]) && isset($_POST["pass"]))
        {
        if  (
    $_POST["user"] === "username" && $_POST["pass"] === "password")
            {
            
    session_register("authorised");
            
    $HTTP_SESSION_VARS["authorised"] = true;

            
    header ("Location: main.php");
            }
        else
            {
            
    $errormessage "Wrong username and/or password! Please try again.";
            }
        }
    ?>
    ...Login form goes here...
    main.php
    PHP Code:
    <?php
    session_start
    ();
    if (!isset(
    $HTTP_SESSION_VARS["authorised"]) || $HTTP_SESSION_VARS["authorised"] !== true)
        {
        
    header('Location: login.php');
        }
    ?>
    ...Logged in content goes here...
    The following line are from the output of phpinfo() so i don't think php configuration is the problem

    session.use_cookies Local Value:On Master Value:On
    session.use_only_cookies Local Value:Off Master Value:Off
    session.use_trans_sid Local Value:Off Master Value:Off
    Last edited by mat106; 06-19-2005 at 09:49 PM.

  • #2
    raf
    raf is offline
    Master Coder
    Join Date
    Jul 2002
    Posts
    6,589
    Thanks
    0
    Thanked 0 Times in 0 Posts
    if the client doens't accept cookies, then the sessionID is propagated through the querystring. this means that there is a variable_value pair on each querystring like sid=sdf5sdf45sdf445sdf

    this sessionID is automatically added to each link (in the querystring) + each form (as a hidden formfield) on each page that is sent to the client.
    now, you are redirecting the client with
    PHP Code:
    header ("Location: main.php"); 
    so the sessionID get's lost since it's not added to the new locations adress.
    to propagate the sessionID, add it like this
    PHP Code:
    header ("Location: main.php?" SID); 
    Posting guidelines I use to see if I will spend time to answer your question : http://www.catb.org/~esr/faqs/smart-questions.html

  • #3
    New Coder
    Join Date
    Jun 2004
    Posts
    51
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Thanks ref. Furthermore, for anyone interested, this quote is from http://uk2.php.net/session
    The strip_tags() is used when printing the SID in order to prevent XSS related attacks.

    Printing the SID is not necessary if --enable-trans-sid was used to compile PHP.
    and the host must have session.use_cookies enabled, session.use_only_cookies disabled and session.use_trans_sid enabled if SID is not to be used.

    The following now works perfectly fine:
    PHP Code:
    ...
    $HTTP_SESSION_VARS["authorised"] = true;
    $id strip_tags(SID);
    header ("Location: main.php?$id");
    ... 


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •