If I understood correctly, the first time start_session is used, the server will send both a cookie AND rewrite the links in the page with the sessionid appended to it. This seems logical since at the first call for a session the server can not know whether the browser will accept cookies or not. However, if I enclose the start_session in ob_start() and ob_end_flush() even on the first page there is no link rewrite (ie no ?phpsessid=... is added to the links). How can this be explained? With the output buffering the server will send the cookie right after the flush and perhaps the browser sends back a kind of acknowledgement before the page can be rewritten by the server? However I checked the HTTP communication between server and browser and did not find a significant difference between the case with and without output buffering. The only thing I saw was a different port being used for some initial TCP/IP communication. However, I'm not an expert but would like to know the explanation of this behaviour anyway,
MPL
avoid sessionid URL rewrite
PHP doesnt automatically add the session ID to any URL's. You need to do it manually using the Global Variable $PHPSESSID once you have started your session. You then send it on the end of your URL as such:
Originally posted by chekote
PHP doesnt automatically add the session ID to any URL's. You need to do it manually using the Global Variable $PHPSESSID once you have started your session. You then send it on the end of your URL as such:
/index.php?PHPSESSID=92646398656be3488a2
As far as I know the latest PHP versions automatically select the way in which the SESSID is propagated (ie if transsid is set in the php.ini); in human language: if php sees that your browser allows cookies it will store SESSID in a cookie but if not then the URLs will be rewritten automatically. However, the first time start_session is called the PHP engine can not know whether your browser allows cookies and URLs will be rewritten. For security reasons I would like to avoid this. The only question is: HOW ?
Note that the second time start_session is called the PHP engine receives the cookie returned by the browser and knows it does not need to rewrite the URLs
The only thing I can suggest is when you start a session, do a check to see if its a new session. If it is then rewrite the URL's, if its not then you can rely on the PHP auto detection that you mentioned. (Personally I never rely on such things, I would rather be safe than sorry.)
I have the same problem/question.
How can I make sure that, even the first time, sessid is not concated with the url?
Altec123 could you post your code so I can test it with ob_start() and ob_end_flush()?
Tnx, narn