stop SID from showing

necron

Having considered all security risks involved, I have decided that my website needs to run without cookies and therefore turned on the trans_sid.

But now I am trying to stop the SID from being automatically appended to my URLs unless it is needed, but have been so far unsuccessful:

I have got a session variable that I want to follow around my website but only if a user has logged in. So let's assume I had a session variable called "userID". If userID exists, it means that the user has previously logged in and yes, I do want the SID to be appended to my URL string.

But if the user has not logged in (userID does not exist as a session variable) I don't want the SID to be appended.

The files that the user accesses are in both cases the same, so I always have to start the session at the beginning of the file to check whether the user is logged in or not and then display the appropriate information.

Has anybody got an idea if this can be done, and how?

Thanks heaps!

nunomira

hi,

When you use sessions, their ID is either stored in a cookie or appended to the url.

I think this is the logic:
When the user logs in successfully, the session that was started, is kept.
If login fails, the session that was started is destroyed, the same happens when the user is not logged in.

In the first case the ID may appear, in the second it doesn't.

I believe that although you have use_trans_sid On, you may still use cookies. Take a look at these in you phpinfo:

session.use_cookies
session.use_only_cookies
session.use_trans_sid