IE privacy settings?

thefisherman

Hi!

I've been working on my stock-photography site now for ages, using php and MySQL and recently i discovered that my shop-cart does not work correctly when i test the site on other machines.

And i found out that IE's privacy setting was blokking some cookies and other things, though not sure because i do not use cookies on the site.

This is a bit strange to me, i've been using sessions. A friend called recently and said that after selecting 4 photographs (or any number) , viewing the cart resulted in a message saying: Your cart is empty

Checked the site and it works perfectly!

Ok, maybe it's quite a global question, but maybe someone has encountered this as well.

Any help would be appreciated!

thefisherman

OhLordy

I'm not sure of exactly how the sessions work but the SID (Session ID) is stored in a cookie when you use session_register() I think the only way to make truly cookie independent sessions is by building them up yourself in a database.
Please correct me if I'm wrong, I'm not very sure on this
Rob

Weedpacket

One can use sessions without cookies: if php.ini is configured with trans_sid turned on, then chances are that nothing more is needed - PHP will resort to putting the session ID in the URL (it has to put it somewhere that it will get sent back...)

If it isn't or doesn't work, you can put it in yourself by tacking on (as this forum does) a name-value pair in the query string of the URLs on your site. Easiest way to do that is probably to use the SID constant.

thefisherman

In reply to Weedpacket's reply:

What i did is use session_start() and save the session_id() to a variable.

Along with that i noticed that php is adding the SID to the url, which ofcourse is a good thing!

Everything worked, but at some point, IE started blocking some posts, probably from a form i am using.

I have a register page, which allows users to register so afterwards, when they come back, all they have to do, is login and the form is pre-populated with their personal data.

It's kind of a service to the customer..

Does IE block posts in scripts when the privacy level is set above medium?

Guess i'm kinda confused, maybe i should use method="get" instead of method="post" and then $_get the variable?

I'm not an expert (that's why the post 🙂)

Help is really appreciated!

thefisherman

jimson

Along with that i noticed that php is adding the SID to the url, which ofcourse is a good thing!

u didn't read the manual right...

There are several ways to leak an existing session id to third parties. A leaked session id enables the third party to access all resources which are associated with a specific id. First, URLs carrying session ids. If you link to an external site, the URL including the session id might be stored in the external site's referrer logs. Second, a more active attacker might listen to your network traffic. If it is not encrypted, session ids will flow in plain text over the network. The solution here is to implement SSL on your server and make it mandatory for users.