Session Management

nbagley

Does anyone have a tip on how I can manage my sessions WITHOUT using the session id from PHP or using a cookie or using the ip to track someone?

I need to assign a unique key (session id) to each person who accesses this site. The user will not be directly accessing this application, but will be a third party app. It will function like this:

Client Site (what a user will be viewing) -> Application

The connection will be made through JavaScript setting link through a <IMG> tag, with the source being the app.

I need some way to set up session management without the use of PHP session ids because they simply don't work this way and I can't use cookies because I can not garantee that each user will have this option enabled.

Can anyone think of a way to identify each user with these limitations, so that it can be a primary key in a SQL database?

Thanks in advance.

McIheal

You can build the Website with the img-tag and the javascript in it by php and add an id in the src:

<img src="application.php?id=<?=$id_from_login; ?>">
OR
<script>
  document.img1.src="application.php?id=<?=$id_from_login; ?>";
</script>

can't you?

nbagley

No. I can't... I can not rely on the other server to have PHP, and not even Javascript (but that's not too big of deal... I have that one covered already). If I could do it with PHP, my worries would be over... bummer, huh? Thanks for the idea, though...

examancer

$_SERVER['REMOTE_ADDR'] would contain the user's IP address

Wouldn't the IP address work as a unique identifier that would work as the primary key?

I guess some ISP's use address translation to put multiple hosts on single IPs, so you could also use a combination of $SERVER['REMOTE_ADDR'] and $SERVER['REMOTE_HOST'], which is similar to how IRC networks identify/ban their users. If $SERVER['REMOTE_HOST'] isn't returning the results you want, gethostbyaddr($SERVER['HOST_ADDR']) should do the same thing.

stolzyboy

i wouldn't rely on remote_addr, think about how many people you would limit if you are looking into a company with a corporate lan with 1 ip, you would only have 1 unique id for the X amount of users on the corporate lan, since they have local ip's

examancer

wouldn't this get around the single IP/many users problem?:

$user = $_SERVER['REMOTE_HOST'] . "@" . $_SERVER['REMOTE_ADDR'];

or, if your server isn't configured to return hostnames you can do this:

$user = gethostbyaddr($_SERVER['REMOTE_ADDR']) . "@" . $_SERVER['REMOTE_ADDR'];

or something along those lines...

nbagley

Hmmm... I hadn't thought of that, but that still would limit the IP address to one user. As far as I know the remote host and remote IP would registar only with the server not the individual user, but it still is a very useful idea and I have to think if I can use it.

Can you think of anything that a browser would pass (besides the ip address) that would be unique to a individual computer system (not the server). I thought about something like using the browser configuation (i.e. $_SERVER['HTTP_USER_AGENT']), but that really won't work that well... just imagine if a 2 (or more) users have the same browser config. under that IP address.

So I guess I could do something like:

$_SERVER['HTTP_USER_AGENT'] .'@'. $_SERVER['REMOTE_HOST']

...or something like that to identify each user.

Thanks for that idea, examancer... you just narrowed down the problem, I think. Now if I can only identify each unique system in a network... I am good to go.

Nathan

examancer

anyone know how to get the MAC address of the client? I know there is no $_SERVER variable for it, but it should be obtainable. Plus, MAC addresses are supposed to be totally unique. However, I don't know if you would sometimes get the MAC address of the server instead of the client...