SESSIONS / user login page

drgnjucr

My question here is how can I sucessfully handle a session across pages when some of my pages are .js included files on a static html page?

Here is my real example:

uilogin.php <- login page
getAuth.php <- page to validate a users session
secured.php <- example secure page

A user attempts to access the "secured.php" page and that page will do an include to the "getAuth.php" page. If no valid session var's are defined, which the clip of code below does:

<---- if(!isset($SESSION['uid']) && !isset($SESSION['passwd'])) ---->

then the user will be taken back to the "uilogin.php" page. If they are found then the secured.php page will print.
This works out all good HOWEVER.

Once a sucessful login is established, each link you click will automatically append the PHPSESSID to the end of the url query string.

The problem is the core of my page is built from htm pages with included .js file for the dynamic menu content. If you click on any of the menu nav links, the PHPSESSID is NOT included?? Anyone know of a way to work around this? I guess I can turn the whole site into .php pages but I'm not sure I want to do this.

THANK YOU!!

devinemke

the default (and prefered) method of session propagation is using cookies. the alternative is to pass the session on the URL query string. if you set session.use_trans_sid = ON in your php.ini then PHP will do this for you automagically.

drgnjucr

I have it on, well, set to 1. I presume that 1 in on.

session.use_trans_sid = 1

I've only been with PHP for a couple weeks and really struggling here to get this to work. arg! 🙂

With this "session.use_trans_sid" option, it will automatically appned the phpsid to each url - right? It seems that it will append it, unless the links are generated via my js file.

If I could get a work around, that would be awesome. Is there any way, besided using a cookie that I can obtain the session information without sending it in the query string?

Do you know of any good tutorials using sessions & cookies?

Thanks!

drgnjucr

Actually, my mistake. It doen't retain any phpsid unless the page is .php DUH! my bad.

So, unless I convert the entire site to .php I would have to use cookies? Is there any other way to use the the phpsid without passing it in the query string?

devinemke

let's back up here.

cookies are the best (most secure) way of propagting sessions. PHP handles of of this for you. just make sure that session.use_cookies = ON is set in php.ini.

any pages that you want to use sessions with must be handled by PHP. typically this will only include pages with the .php extension however you can configure your webserver to parse any file extension you want (read your webserver's manual).

drgnjucr

Ok, I've configured my apache webserver to parse .js and .htm files as php and now the links do append "A" session ID to the end of the url.

Problem is, instead of appending the current session ID it's generating an new one?

I've tried adding <?php session_start() ?> to the header of the pages and this did not work.... I thought I read somewhere that you needed to do this in order to create, or use any sessions..