Session Problems

dynodins

Hello,

I have built a few websites now with PHP sessions. They always work fine on my computer when I test them, but I always have many problems with users. Most of the solutions that I find online all recommend that I modify the php.ini file which I can’t do because these sites are on shared hosting accounts. Here are the main problems...

Proxy Servers - When people are in a corporate environment and have their security cranked up or are behind proxy servers none of the session variables work. This ruins everything from the shopping cart even to the login. I have looked at my script over and over and it seems basic and works on all the computers I test so I don't think that's the issue.

Cookies - The only time I have problems are if I disable cookies. I talked to a more experienced PHP programmer and he says that cookies aren't even used on the users computer, only the server? That confuses me even more. I used the script that overrides cookies, but no dice? I even tried some scripts I found online to save the session data in a SQL database and couldn't get that to work either? Again, I have a hunch that I need to change something in the php.ini file, but again I have a shared hosting account, so no dice!

What do sites like amazon.com do with these issues? Even if they use .net or something else they I would think they use sessions and have the same issues?

Please HELP???

Bob_PHP_Builder

Well i know that even hotmail won't work unless you have cookies and javascript enabled (not sure on amazon). When ever i try disabling cookies completely i don't get very far. Setting everything to high or disabled won't get far on most sites.

dynodins

Isn't there a way around cookies? It's hard to believe that bigger sites like amazon rely on everybody having cookies enabled? I think it's a decent percent that don't have cookies enabled.

After researching this for a while, I came to the same cookie solution, but it just isn't flying with my clients, and there has to be a better way.

NogDog

For problems with proxy servers, it might be helpful to add the following header to the pages in question:

<?php
header('Cache-control: private, must-revalidate');

Also, make sure you're not running with session.use_only_cookies in effect, either by setting it to "0" in a .htaccess file or via ini_set() if you can't use .htaccess files for some reason.

bradgrafelman

dynodins wrote:
I talked to a more experienced PHP programmer and he says that cookies aren't even used on the users computer, only the server?

Unfortunately, he/she is mistaken.

The session.use-cookies directive allows PHP to send a cookie to the user that contains nothing but the session ID (commonly stored as 'PHPSESSID', though the session.name can be changed as well). By default, this is set to On (or "1").

The other way is to propogate the session id via the URL. Visit the man page for [man]session_start/man and you'll see in coding example #1 they used the SID constant to send the id via the URL. If you'd rather PHP did this automagically, look at this page talking about the "trans_sid" option.

MarkR

Normally sessions are maintained via cookies. This is the only secure way, the other way (session ID in query string) is unspeakably lame, and the trans_sid function of PHP messes with your HTML in a way I find quite disturbing.

Therefore, the only secure way to implement cookies is to enable session.use_only_cookies

Most corporate firewalls should allow cookies through or, as other posters have suggested, very few sites will work.

Of course one way you can get cookies through a corporate proxy server which strips them is to use HTTPS.

Mark

liquorvicar

I had a similar problem a while back with certain users who had a higher IE security setting than I had on my test machine. I found out that setting a Compact Privacy Policy in the headers solved this little problem. Of course, as mentioned above, if they have session cookies disabled there ain't much you can do!

dynodins

Thanks NogDog.

I will look at these options. The header tag makes sence to me as far as the proxy server goes. I already tried both options for use_only_cookies and pretty much any other cookie or session setting I could find, but still problems with users. Also, don't you have to have control of the server to create a .htaccess file? And I also read that some settings can't be overwritten via ini_set() including register globals and other major settings?

dynodins

Thanks bradgrafelman!

I think I am on the right track now, but still can't get it to work. I set the current settings in my files...

ini_set("session.use_cookies", "off");
ini_set("session.use_trans_sid", "on");

It does turn cookies off, but doesn't automaticaly send the session ID in the URLs like I have read they do. My question is... if you set enable use_trans_sid do you have to pass SID on every link of the site from here on out?

When I tested the site, it wouldn't carry over the session uless I pass the SID on every link, and when I did that, it was visible in the URL? I am confused about this? I am on a shared hosting plan and wonder if I can't use the ini_set to turn features on, but only off? Because it works to turn the cookies off, but not the transparent sid?

Any further advise you could give would be great!!!

Thanks!!!

MarkR

Having the session ID in a query string is inappropriate for general use as it is not secure, plus it is downright silly and ugly. Just use cookies. Really.

Get people to turn cookies on; have MSIE users get their compact privacy policy and use HTTPS if you have major problems with the corporate firewall.

If their browser works with (e.g.) yahoo, hotmail, it must have cookies enabled.

You can use ini_set() to enable any ini file setting which takes effect after the call to ini_set. This means that setting a session option will ONLY take effect if it's called before session_start().

Some ini settings (e.g. register_globals) take effect before the page starts; these can't be set with ini_set, obviously.

Mark

dynodins

Thanks Mark,

I am using cookies and it has an error page that explains how to enable them (stolen from yahoo) and this is ok, but I just think there is a better solution. The best would be to have control of the server, because some of the ini call just don't work no matter what I try. I know that most dynamic sites require cookies and it's concidered acceptable for the web, but again, I want a better solution.

Thanks for the response.

ATawfeek

Dear Sir,

Thank you for this important information
It really was very usefull for me in my work
where I was having the same problem of the cookie - session blocking problem.
your message was a key for me
I solved this issue now
Thanks,
ATawfeek

NogDog wrote:
For problems with proxy servers, it might be helpful to add the following header to the pages in question:
<?php
header('Cache-control: private, must-revalidate');
Also, make sure you're not running with session.use_only_cookies in effect, either by setting it to "0" in a .htaccess file or via ini_set() if you can't use .htaccess files for some reason.

dynodins

I have tried all these solutions, but still no luck with my current client. Again, they are behind a proxy server. I have tried all the ini_set solutions with no luck. Here are the other solutions I have tried...

Header Info: I added the following code to the header of my scripst - header('Cache-control: private, must-revalidate');

This was recomended that it work around the proxy server, but this doesn't work.
Passing session ID through a hidden form field through a post: I built a version that passed the session ID throught a hidden field on every page. This would allow the site to avoid using cookies or any temporary files stored on the users computer. I tested this on our side with cookies dissabled and it worked. With cookies dissabled I could not log in to yahoo mail or other popular websites. I think it is a standard practice that if you can't store cookies site's won't work. I want to still be functional with or without cookies, but this is still not working on the proxy server.

I know it is common practice to use cookies and if the user doesn't have cookies enabled then tough luck, but that just won't fly when the guy approving the project can't even see the website correctly. If anyone has any other solutions for me I would greatly appriciate it.

Thanks in advance!

ATawfeek

Greetings,
Dear dynodins,

I was having the same problem which you have from a few days ago, casue I develop by PHP WAP projects on mobil.

The problem had been solved, Thanks GOD and Thanks NogDog for his kindly message which was the key for me.

I would like to tell you few comments which were helpfull for me and I hopfully being helpfull to you too:

Must edit two lines in the php.ini file which are below :
session.use_only_cookies = 0 (ofcourse you know that to effect this line should remove the semi colum before the line)
session.use_trans_sid = 1

By this it must the new added parameter 'PHPSESSID' appears now when passing from page to another in case of blocking the cookie from the privacy from the internet options.

But the problem sir that there are some commands that you can't use in case of blocking the cookie like :

Session_Register() , Session_Isregister(), bla bla bla

so you must use only the common commands for the two cases (blocking and unblocking)
like :

IsSet(session....)

May be I repeated some words and some ideas which were said before from the kindly members but sorry that what I have and I would like to say it, who knows that may be I will be helpfull 🙂

Good Luck 🙂

dynodins wrote:
I have tried all these solutions, but still no luck with my current client. Again, they are behind a proxy server. I have tried all the ini_set solutions with no luck. Here are the other solutions I have tried...

Header Info: I added the following code to the header of my scripst - header('Cache-control: private, must-revalidate');

This was recomended that it work around the proxy server, but this doesn't work.

Passing session ID through a hidden form field through a post: I built a version that passed the session ID throught a hidden field on every page. This would allow the site to avoid using cookies or any temporary files stored on the users computer. I tested this on our side with cookies dissabled and it worked. With cookies dissabled I could not log in to yahoo mail or other popular websites. I think it is a standard practice that if you can't store cookies site's won't work. I want to still be functional with or without cookies, but this is still not working on the proxy server.

I know it is common practice to use cookies and if the user doesn't have cookies enabled then tough luck, but that just won't fly when the guy approving the project can't even see the website correctly. If anyone has any other solutions for me I would greatly appriciate it.

Thanks in advance!