non-cookie sessions

Anon

I've been running this e-commerce site for quite a while now. i was using cookies becuase it was the easiest thing to do at the time. i am running into problems now with users who don't have cookies. i just need to run an ID through each page in order to keep track of their shopping cart items. i used $PHPSESSID and session_start() and that seems to work, but on the first page entered on the site you see the $PHPSESSID in any url you click off that page. any more clicks after that don't include the session id in the url. what's the deal with that and how can i be sure that cookies are not being passed to the user (i've read nearly all the articles on this at devshed and here.. nothing completely clarifies this for me). if anyone could help, it'd be great

perumati

Try registering a session using something like:

session_register("PHPSESSID")

to start the session
and calling to make sure the session is registered by using:

session_is_registered("PHPSESSID")

on all other pages

This would eliminate having to pass that variable through each URL.

Anon

That's bad advice. Here's how sessions work.

session_register() tells PHP to write the value of a variable into a server-side storage system at the end of a script so that it can be subsequently retrieved.

When you use sessions, PHP automatically hands the browser a session token. The session token ($PHPSESSID) is a key that allows the next interaction to retrieve the server-side stored data.

Storing the session ID as a session variable is like locking your car keys inside your car. While it may prevent you from losing your keys througha hole in your pants, it won't let you back into the car, so the effect is pretty much the same.

The right way to propagate session IDs in URLs is described in the manual. You use the constant SID, which evaluates to the session name, an equal sign, and the session ID ... if the user's browser will not accept cookies. If cookies are enabled, then SID evaluates to a null string, resulting in a cleaner URL.

Using SID, you explicitly embed the session information in the URLs that you employ for links or for redirects. This enabled idjits who disable cookies to use your session system.

shottie

Thanks Steve. I like your car keys metaphor.

I'm still kinda confused about the passing of the id (and what the SID is). What I understand it all to be is that if a browser is capable of cookies it uses them and if not, it passes the SID through the URL and that is used to find the other session variables at arrival to the next page (and if that's right, how do you retrieve the other session variables upon arrival). If this is all in the manual, no need to answer my questions.. i'm going to read up on it when i get back home. Thanks for your help.

Anon

is it a bad thing to have PHPSESSID passed in the URL security wise? i have seen many sites pass 'sid' in the url. how exactly would i go about doing that. the manual seems pretty broad (as i expected). if anyone could help, i would greatly appreciate it.