Sessions and registered values

foxden

Hopefully someone can assist here:

I'm doing some very basic sessions,
login page that posts to a $PHP_SELF and
if username and password is found the 'page' displays. However, when linking to another page, all of the raw username and password gets put in the url. How can this be avoided? I tried url_encode and session_encode and the raw values were still showing in the url from page to page.

Any help would be greatly appreciated.

Thanks,
Josh

Anon

Why don't you use the html form post method to the php file instead of get.

Post and get are still not secure to sniffers, etc. though...

Matt

foxden

No, I think you misunderstood me. When linking to another page, just using <a href> all of the session variables show up in the url bar...

-Josh

rdhatt

Did you compile PHP with '--enable-trans-sid'?? It does exactly what you're describing.

You can check your compile settings by making a page with the following:
<? phpinfo(); ?>

More info at http://www.php.net/manual/en/ref.session.php

Anon

OK, sorry. If you're linking through a ahref link, that always uses get instead of post.

I'm still trying to understand what you've got going on, but I'm thinking it would be better to use a form post instead of a straight link.

foxden

Unfortunately, I'm on a "hosted" server, but that was the direction I was going in yesterday. Come to find out, it was showing in the URL bar because I was using GET on the login script to elimate "page expired" notices when using the browsers back button. I changed it to POST and it's ok now, just have to deal with the "page expired" notice. Any ideas on how to work around that?

Thanks,
Josh

Anon

So you want to use GET instead of POST? I'm still having trouble with the flow.

User brings up login page
Login page starts session and registers the username and password variables, then displays form to the user asking for username and password.

(Using a form with method POST will keep the u/p from being passed visually to the next step)

Is this page at the end part of the same login php file? You could put the "secret" page in another file and have it called from an include after the successful user evaluation. Me personally (I'm hosted also) I like to use htaccess-based password protection on my "sensitve" areas.

Tell me if this is way off base, because I feel like I'm still not understanding what's going on... Sorry...

foxden

No, your right on base, I've never used the include syntax so I will read up on that. I do have a "long" page that has the login part at the top, and if login is successful then the bottom 1/2 (sensitive area) is displayed. I had originally wanted to use GET because if the user clicks the browers back button it doesn't appear as expired and doesn't require a reload and click yes to confirm the 'repost'.

Anon

If you want to use one long page, I'm thinking you could do this:

1) session start, registers variable for hash

2) Page checks for hash var not being empty (created later, below)

3a) If hash is not empty, go to 4

3b) If hash IS empty, but there is a username and password var present, create a hash (remember this is a registered var with the session) and go to step 4

3c) If hash is empty and there is no user, and password, do the login/pass thing; user submits form; go back to step 1

4) Display the recipe for the secret sauce

foxden

I will try this, thank you very much for all of your help. It's great to know that the folks in the open source community care enough to help each other through problems just like this one.

Thanks again,
Josh