Quick Questions About PHP Sessions...

superwormy

People keep giving me different answers to this... and the PHP Manual isn't helping much either... here goes:

Do PHP Sessions Use Cookies IF YOU ARE NOT PASSING THE PHP SESSION ID THROUGH THE URL?

How compatible are Session Cookies? I have found that there are lots of problems with Cookies, they seem kinda flaky. Are PHP Session Cookies as flaky as regular cookies? ( ie different browsers require diff paramaters to be set and such, people turning them off... )

Can I detect whether or not a user has accepted Sessions, and switch to passing it through the URL if they havn't? Or rather, HOW do I detect this?

Is there a way, OTHER THAN PASSING VARIABLES THROUGH THE URL, and OTHER THAN COOKIES ( wether that be sessions or regular ), to keep track of a user while their on your website? Somethign RELAIABLE ( ie, not IP address )

Say I'm passing a Session ID through the URL. I close the browser, then use the history to navigate back to a page which is passing the Session ID through the URL. Will I be resuming the previous Session ID, or will I be assigned a new one?

Thanks for all the help! I'm still a newbie, so feel free to respond to my dumb questions with foul language and degrading comments! :-) I won't take offense I promise!

tha_mink

You misunderstand what a session is. think of a session as a cookie that gets stored on the server side. The only thing a client knows about a session is the session id. All other information is stored on the server and just refered to via the session ID. the beauty of sessions is...you DON'T HAVE TO WORRY ABOUT PASSING THE SESSION ID. PHP does that for you...either by setting a cookie on the client side or appending all your links with the php session id if cookies are unavailable. GET IT?

As far as your history question. If you go to a url with a session ID appended to it you will resume the session provided it has not expired on the server. That is why when you code with sessions it is important to think ahead as far as initializing variables and values and checking for an existing session and destroying it or resuming it.

I found this article pretty helpful. Maybe you will too...

http://www.oreilly.com/catalog/webdbapps/chapter/ch08.html

As well as these
http://www.onlamp.com/pub/a/php/2001/04/26/sessions.html?page=1

http://www.onlamp.com/lpt/a/php/2001/05/10/sessions.html

MrAlaska

Originally posted by superwormy
Do PHP Sessions Use Cookies IF YOU ARE NOT PASSING THE PHP SESSION ID THROUGH THE URL?

Yes by default, but you have some choices in the php.ini whether to go with one or the other exclusively.

Originally posted by superwormy
How compatible are Session Cookies? I have found that there are lots of problems with Cookies, they seem kinda flaky. Are PHP Session Cookies as flaky as regular cookies? ( ie different browsers require diff paramaters to be set and such, people turning them off... )

Usually parameter problems are by people not setting them properly. Session cookies only have two parameters, a name and a value. The cookie standard is pretty stable, although an occasional browser bug pops up. People will always turn them off. They should have named session cookies something else.

Originally posted by superwormy
Can I detect whether or not a user has accepted Sessions, and switch to passing it through the URL if they havn't? Or rather, HOW do I detect this?

I assume you meant cookies instead of sessions? Sessions are an exchange of interchanges between the client and server which state is maintained from one page to the next, cookies are a tool used to help maintain them. If you are using PHP $_SESSION's, then PHP does it for you. If you want to manage your own sessions, you try to read the cookie and if it is not there you append the URL's.

Originally posted by superwormy
Is there a way, OTHER THAN PASSING VARIABLES THROUGH THE URL, and OTHER THAN COOKIES ( wether that be sessions or regular ), to keep track of a user while their on your website? Somethign RELAIABLE ( ie, not IP address )

There is always HTTP authentication:
http://httpd.apache.org/docs/howto/auth.html

Originally posted by superwormy
Say I'm passing a Session ID through the URL. I close the browser, then use the history to navigate back to a page which is passing the Session ID through the URL. Will I be resuming the previous Session ID, or will I be assigned a new one?

You will start a new one([edit]unless the page has the session ID in the URL. If the page came from a POST then it will not. POSTed pages carry the session ID in a hidden input[/edit]). The session ID is the only link PHP keeps with you, you start a new session even if you type the address in the URL (unless you get a cached page, in which case you will be able to resume if the session has not timed out)

[EDIT] I should have mentioned, if $_SESSION's are the ONLY tool used to authenticate the user, then you will be able to get somebody elses session by typing THEIR session ID in the URL, aka 'session hijacking'[/EDIT]

Originally posted by superwormy
Thanks for all the help!

You're welcome.

Originally posted by superwormy
I'm still a newbie, so feel free to respond to my dumb questions with foul language and degrading comments! :-) I won't take offense I promise!

Not right now, but I'll take a raincheck.

rebelo

thanks for the links, mink. interesting articles.