PHP Session IDs (and cookies! ugh!)

Anon

Hi,

Does anyone know how to force my PHP to use a PHPSESSID in the URI instead of doing it transparently with a cookie?

My host has session.use_cookies On, and unless I force IE to refuse cookies, it will not put the PHPSESSID in the URI.

Can anyone offer any ideas?

Thanks,

Joel

Anon

Why do you insist on doing it in the URL?

Perhaps you should roll-your own session handler; create a database that will hold session details, and a unique SESS_ID you can attach to all the URLS on your site.

Anon

Thanks Hayley.

I insist on putting the Session ID in the URL just for added security, as its for a admin control area of my website.

As for 'rolling' my own session handler - well Im a bit lost there 😉

/me owns up for being PHP newbie.

Any good tutorials going about? 😉

Thanks,

Joel

katkurisrinivas

Hello,
I want some help in PHP.
Can I have the Cookies Collection in PHP?? Is it present in PHP like in ASP.
If exists, Can send the syntax for Cookies collection in PHP...

I can send the code in ASP: I want the equivalent code in PHP:

<%
if Request.Cookies("SiteCount")(SiteVisited) <> "Visited" then
rs("HitCount") = 1
Response.Cookies("SiteCount")(SiteVisited) = "Visited"
end if
%>

If u know, Please send the reply...
Thanking u sir,

Regards,
Katkuri Srinivas
Web Developer,
Bangalore

Anon

Yes. See the manual.

http://www.php.net/manual/en/features.cookies.php

and for the sessioning API

http://www.php.net/manual/en/ref.session.php

Anon

I think it's far more dangerous to have it in the URL...

You have a table, "sessions" or whatever, in your database. It has a field for each variable you want to store in your session (and you might have to read up on serialisation if you'll be wanting to store things like arrays), and an additional field for storing your session ID. md5(time()) might do as a session ID.

You'll have to do something like

"SELECT * from sessions WHERE session_id='$session_id'"

to query the database for all fields where the session ID matches the one supplied in the URL (there isn't one? header('Location:login.php')😉. Maybe the session ID is an old one that someone pulled out of your cache or browser history, and isn't in the database any more: header('Location:login.php');. Maybe it is still in the database and you haven't cleared it out yet - they're now in your admin section.

With a successful query, get the field values, stick them into suitable variables, and you're under way.

You need to stick the session ID in all the links (and forms) in your admin section. I saw some Javascript on the documentation site that was said to do this automatically.

Clearing out the database is tricky - you need to write a substitute for PHP's garbage collection as well. Assuming there will only ever be one session at a time (there won't be multiple people using the admin session), a "DELETE FROM sessions" when some "logout" command is given ought to do the trick. Otherwise things can get stickier.

Anon

Oh ok, I'll stick to doing it with the original script, and having it done with cookies now, thanks <g>

Thanks again Hayley!