...

View Full Version : How to never set a cookie??



RTrev
03-16-2007, 02:10 AM
I'm sorry if this is a common question, but I've searched all over and can't find it.

How do I establish and use a session, and NOT set a cookie at all? I know that using cookies is the default storage system, and that a line in (I believe) php.ini or some such file, can control this. But I'm on a shared hosting system, 1&1, and so don't have control of that file.

I have an "Initial Contact" form that people can fill out and email to me, and if they choose to include an email address I can reply to them. I generate a short, random password each time the form is used, and I need to save that value to compare to the one they entered after they submit. I also store the rest of what they entered, so if they blow the password they don't have to re-type everything all over again. When they are done with the form, I have no further desire to store anything, and so each of my other pages begins with ...


<?php session_destroy(); >?

... just to make sure no data has been inadvertently stored in some way.

It's working fine, but I do NOT want to use cookies, and so far I've been unable to avoid having one set.

Any clues would be greatly appreciated!

Thanks,
Bob

Inigoesdr
03-16-2007, 02:17 AM
You can set "session.use_trans_sid" to true in .htaccess, and by using ini_set() iirc. The SID is passed in the URL.

RTrev
03-16-2007, 02:52 AM
You can set "session.use_trans_sid" to true in .htaccess, and by using ini_set() iirc. The SID is passed in the URL.

Hmm. Thanks.. that gives me a place to start!

Putting


session.use_trans_sid true in my .htaccess with or without the prefix of php_ gives me a 500 server error. Putting



<?php
ini_set(’session.use_trans_sid’, true);
session_start();
?>


at the top of my php file doesn't seem to do anything.. and I still get a cookie set. Is it possible that 1&1 doesn't allow me to use sessions without cookies?

Inigoesdr
03-16-2007, 03:08 AM
Try these in your .htaccess:

php_value session.use_cookies "0"
php_value session.use_only_cookies "0"
php_value session.use_trans_sid "1"
And/or:


ini_set('session.use_cookies', 0);
ini_set('session.use_only_cookies', 0);
ini_set('session.use_trans_sid', 1);

RTrev
03-16-2007, 03:21 AM
Try these in your .htaccess:

php_value session.use_cookies "0"
php_value session.use_only_cookies "0"
php_value session.use_trans_sid "1"
And/or:


ini_set('session.use_cookies', 0);
ini_set('session.use_only_cookies', 0);
ini_set('session.use_trans_sid', 1);


Okay, the .htaccess code gave me the 500 - Internal Server Error, and removing the .htaccess and using the php code caused my page to cease working.. that is, it didn't remember the password after the submit and so causes each attempt to fail because a new password is generated on entry to the page given that one doesn't already exist.

I copy/pasted your code, so no typos crept in.

Really appreciate the help.. and I think I'm getting closer.. at least this last round made something change. :) Maybe I'll have to just live with setting cookies, but I so detest that idea. I want a clean site that doesn't try to execute any client-side scripting and that doesn't use cookies for anything unless they are truly needed and wanted by the visitor to maintain state between visits. I don't have anything running that requires that yet.

Thanks again!

Bob

Inigoesdr
03-16-2007, 03:39 AM
I just did a simple form to set/get the password after setting it and forcing the URL session id, and it worked fine. Are you storing the password after starting the session when you POST/GET it? Why are you so against cookies anyway?

RTrev
03-16-2007, 04:07 AM
I just did a simple form to set/get the password after setting it and forcing the URL session id, and it worked fine. Are you storing the password after starting the session when you POST/GET it? Why are you so against cookies anyway?

Are you per chance using 1&1 hosting? If so, I don't know why it won't work for me.

I start the session at the very top of the page, and after I've generated the password code I simply do this:


session_register(pass);

It works fine if I allow the cookies, so I presume I'm setting up my session correctly. I'm a newbie, though, so nothing is for certain in that respect.

As for being against cookies, I guess I'm just being a purist and a perfectionist. :D It's my first site, and I want it to be right. If someone comes along who doesn't accept cookies, I want it to still work precisely the same. And why have the overhead of sending and then reading back a cookie, in a matter of milliseconds, which isn't needed for any other purpose? It seems like a kludge.

I have a friend who runs a site precisely the way I'd like to run mine, and his sentiments are summed up here:

http://www.grc.com/privacy.htm

It's just something that I feel strongly about.. not doing anything on my site that requires the user to do anything that THEY might not want to do. And especially if it's just a kludge because I can't figure out how to do it right. Make scents? :)

Bob

Inigoesdr
03-16-2007, 04:59 AM
I just tried it on a 1and1 server and it did not work. They probably have it blocked for security reasons. You're going to have to switch hosts(hah), use your own custom system, use cookies, or there's probably something else that I can't think of right now. Someone else will probably chime in with another possibility too. Good luck!

felgall
03-16-2007, 06:11 AM
As for being against cookies, I guess I'm just being a purist and a perfectionist. :D It's my first site, and I want it to be right. If someone comes along who doesn't accept cookies, I want it to still work precisely the same. And why have the overhead of sending and then reading back a cookie, in a matter of milliseconds, which isn't needed for any other purpose?

Sessions set session cookies that are stored in the browser and so they don't take any time for reading/writing because no reading or writing takes place. If cookies are disabled the session id usually gets appended to the URL as a querystring. There is no difference to the overhead, iit just makes the address bar look slightly less tidy but since visitors with session cookies disabled always see it that way while those with session cookies enabled have the browser pass the session id between pages internally to the browser there isn't any significant difference between the two. Sessions don't require the type of cookie that writes anything out to a file since the session can't continue if the browser is closed. Very few people disallow session cookies since it is only third party cookies stored on your hard drive that have a privacy issue.

RTrev
03-16-2007, 11:57 AM
Sessions set session cookies that are stored in the browser and so they don't take any time for reading/writing because no reading or writing takes place. If cookies are disabled the session id usually gets appended to the URL as a querystring. There is no difference to the overhead, iit just makes the address bar look slightly less tidy but since visitors with session cookies disabled always see it that way while those with session cookies enabled have the browser pass the session id between pages internally to the browser there isn't any significant difference between the two. Sessions don't require the type of cookie that writes anything out to a file since the session can't continue if the browser is closed. Very few people disallow session cookies since it is only third party cookies stored on your hard drive that have a privacy issue.

If I'm understanding you correctly, then, for example, if I want to store the message text of the message the user is writing to me so that it can be refreshed after the submit if some problem occurs, we don't end up with a cookie containing all of this text sitting on the user's machine, even if only briefly? All it will contain is the sessionid value? The actual *data* that has been registered in that session will *not* be on the user's machine? That is making it sound a lot better.

If I hear you right, it's more efficient to use them than to try to avoid them? And the URL will *automatically* handle the details if someone shows up with cookies disabled, so I have to do nothing at all differently in my code to allow for those folks?

That all being the case, I guess I'd better get over the cookie thing and just keep on coding. :)

I'll experiment some more, using the routine with and without coolies enabled, and see how I make out. In any event, it's beginning to appear that my hosting service is giving me no choice in the matter.

Thanks for the info!

Bob

RTrev
03-16-2007, 12:04 PM
I just tried it on a 1and1 server and it did not work. They probably have it blocked for security reasons. You're going to have to switch hosts(hah), use your own custom system, use cookies, or there's probably something else that I can't think of right now. Someone else will probably chime in with another possibility too. Good luck!

Thanks for going to all the trouble of testing it for me. Much appreciated!

I even thought about writing the information to a little file on the server, or storing it in a MySQL database, but that seems like it would really be overkill. :)

Thanks again!

Bob

Inigoesdr
03-16-2007, 05:16 PM
If I'm understanding you correctly, then, for example, if I want to store the message text of the message the user is writing to me so that it can be refreshed after the submit if some problem occurs, we don't end up with a cookie containing all of this text sitting on the user's machine, even if only briefly? All it will contain is the sessionid value? The actual *data* that has been registered in that session will *not* be on the user's machine? That is making it sound a lot better.
Yes, all that is stored on the user's machine is the session id.

If I hear you right, it's more efficient to use them than to try to avoid them?
Yeah..

And the URL will *automatically* handle the details if someone shows up with cookies disabled, so I have to do nothing at all differently in my code to allow for those folks?
Correct, in theory. 1and1 could have the URL method disabled altogether, though.

I even thought about writing the information to a little file on the server, or storing it in a MySQL database, but that seems like it would really be overkill.
1and1 probably won't let you, but sessions can actually be setup to use the database to store the information.

aedrin
03-16-2007, 05:55 PM
I have a friend who runs a site precisely the way I'd like to run mine, and his sentiments are summed up here:

http://www.grc.com/privacy.htm

I honestly feel sorry for your friend.

A website written assembly (as far as that is true) is crazy.

Just because some people are maniacs about privacy, shouldn't mean that you waste thousands of hours writing things in assembly, and writing roundabout ways for simple solutions.

When I read that, I was expecting "April Fools" at the bottom.

They may sell products that concern privacy, but it's a website. That sells what, software? Why would anyone ever care if people found out they bought HD recovery software, or some other product. If this was an important thing like tax information, maybe it would be acceptable.

Just wow...

At least I understand your hesitation with cookies now ;)

RTrev
03-16-2007, 06:26 PM
I honestly feel sorry for your friend.

A website written assembly (as far as that is true) is crazy.

Just because some people are maniacs about privacy, shouldn't mean that you waste thousands of hours writing things in assembly, and writing roundabout ways for simple solutions.

When I read that, I was expecting "April Fools" at the bottom.

They may sell products that concern privacy, but it's a website. That sells what, software? Why would anyone ever care if people found out they bought HD recovery software, or some other product. If this was an important thing like tax information, maybe it would be acceptable.

Just wow...

At least I understand your hesitation with cookies now ;)

I should ask Steve to post some of his code.. he did once.. and it's gorgeous. If you know what you're doing, you can be as productive that way as in any other language. During intense testing periods, he will release 30 changes in one day for little things for us to try. He has a nice library of functions built up, and his code is readable and clean and easy to understand. It looks more like a well-written example of a high-level language. Of course his final products are 20K instead of 30 Megs of bloat! :) He's a unique guy! :thumbsup:

RTrev
03-16-2007, 06:30 PM
Correct, in theory. 1and1 could have the URL method disabled altogether, though.

What would I look for in phpinfo() that would tell me that? Or I can just wait until I get home and test it. I'll be quite disappointed if they've done such a thing, and would presume that they must get a lot of complaints if so?

Thanks,
Bob

aedrin
03-16-2007, 06:38 PM
It's still assembly code.

Which makes me wonder, why assembly? What is the point of using assembly versus a higher level language?

I understand there is a difference in size (although not as extreme as you suggest), and speed as well. But speed is negligable in the current internet situation. So what is left as a benefit? A higher level language will always be more readable than assembly, it's their purpose actually.

Sure, I could take a few wires and some electrical components and make my own computer. But why?

RTrev
03-16-2007, 06:46 PM
It's still assembly code.

Which makes me wonder, why assembly? What is the point of using assembly versus a higher level language?

I understand there is a difference in size (although not as extreme as you suggest), and speed as well. But speed is negligable in the current internet situation. So what is left as a benefit? A higher level language will always be more readable than assembly, it's their purpose actually.

Sure, I could take a few wires and some electrical components and make my own computer. But why?

He *loves* programming, and he wants his code to be small and lean and fast and tight. He also wants complete control of what's going on. It might be better to visit his newgroups and ask him as he will explain it much more articulately than I'm able to. But I've never seen anyone who can crank out high-quality code any faster than he can. The only bugs we usually find are typos in the explanatory text and so on. I'll look for the code example he posted. But the bottom line is that he lives for this stuff.. he loves it.. he does it for the pure joy of it. He needs to answer to nobody, so can do things the way he wants to do them.. and this was his choice. As to precise details about why assembler, I don't know for certain except that he's a perfectionist. :)

aedrin
03-16-2007, 07:40 PM
I love to program too. I guess the difference being that for some projects I have people to answer to.

I also love to have everything lean and tight. Which is why I prefer coding my own generic packages, as opposed to using PEAR, frameworks, etc.

I suppose it's all about how far are you willing to take it.

It also matters when you started programming. Someone who started when assembly was more common would be a lot more comfortable with writing assembly.

RTrev
03-16-2007, 07:48 PM
I love to program too. I guess the difference being that for some projects I have people to answer to.

I also love to have everything lean and tight. Which is why I prefer coding my own generic packages, as opposed to using PEAR, frameworks, etc.

I suppose it's all about how far are you willing to take it.

It also matters when you started programming. Someone who started when assembly was more common would be a lot more comfortable with writing assembly.

Yes, he's been around a while. I believe he wrote the driver for the first laser printer. :-) His SpinRite program allows him the luxury of paying for all the free things he puts out like ShieldsUp, and all of his little security utilities, etc.

It's all a matter of we do the best we can with what we have to work with and the constraints (or lack thereof) placed upon us. Plus individual preferences, skill levels, etc.

I didn't mean to sidetrack the thread with the assembler language issue.. I was more trying to point out his philosophy about respecting visitors to the site, and how I'd like my site to come as close to that ideal as I can. I thought his privacy policy spelled it out quite nicely, but in retrospect I guess it kind of backfired. :eek: Sorry about that!

aedrin
03-16-2007, 08:05 PM
There's no reason to apologize. It's your thread ;)

I work on freely available things too in my spare time. I enjoy working on those projects, and I don't care that I don't make money off of it since I get to program and do what I want with it.

I just feel like certain things can be taken too far. It doesn't seem to me that his website would require that much effort/work to keep people's "privacy" in tact.

Privacy is becoming a buzz word, and many people don't understand the point behind it. One shouldn't ask for privacy for the mere fact of having it.

I don't care if people know what websites I visit. The only reason I can think of that people wouldn't want it to be known is if they are doing something that is either illegal, or confidential.

RTrev
03-16-2007, 08:12 PM
Do you think that my setting a session cookie presents no problems then, in terms of a reasonable approach to respecting visitors to the site? I really don't know, but I see that virtually every single site I visit sets one. And I accept them as long as they are first-party.

Maybe I'm going overboard with this. Tonight or tomorrow I'll get my routine working as well as I can with a cookie, and then set my browser to reject all cookies and see what happens. If it works, I'm tempted to say good enough. If it breaks, then maybe it's time for a call to 1&1 support to see if they can offer a suggestion.

Thanks for your feedback on this one. I'm way over my head, and need all the course corrections people are willing to provide! :)

aedrin
03-16-2007, 08:32 PM
I virtually never use cookies, except for session tracking.

I understand your worry about things breaking when cookies don't work. And I agree.

But I believe PHP has done this for a long time and it works quite well. When cookies are disabled, it just changes your URLs to append the session ID, which can look a little weird.

Cookies are fine to set, as long as they are set to be destroyed when the browser closes. This prevents tracking and keeps sessions working.

There might be an option to destroy all cookies on browser exit. This would be the next step down from disabling all cookies. And this would prevent a lot of "privacy issues".

And don't thank me. I wish I had help when I was learning PHP. That's one of the key elements of learning a programming language. You can read many books, tutorials and FAQs. But in the end, the most helpful thing is a real person. Because it is just so much easier to ask regarding a specific situation.

If documentation answered all questions, people would never read it.

felgall
03-16-2007, 09:03 PM
Setting a session cookie stores the session id within the browser itself and all the session variables are stored server side. Nothing gets written to your visitor's computer and the session id is automatically deleted on their end when they close their browser if they don't explicitly select the option you provide to end their session (if you provide one). The session timeout settings on the server will ensure that the session variables are automatically deleted after a given time period (the default is usually set to 2 hours) but they wouldn't be accessible without knowledge of the session id in any case.

Disabling the ability of setting the session id in a query string may make the session more secure as someone trying to hijack a session would have an easier time entering the session id that way rather than creating a session cookie although this would only affect novices trying to hijack someone else's session who know 99% of how to do it and overlooked learning the other 1%. Protecting user sessions from being hijacked is more a matter of how you use the sessions rather than the method that is used to store the session id.

To see how sessions are configured on your server simply run a page that displays phpinfo() and then do a find on "session" to see all the session configuration.

RTrev
03-16-2007, 10:42 PM
Well, I'm back to square one. My page works fine with cookies enabled, and breaks when I set my browser to block cookies from my site. :confused:

I'd post the output of the phpinfo() section on sessions, but an not sure how to do it properly. I'll just try copy/paste and put it inside code tags and hope for the best.



session
Session Support enabled
Registered save handlers files user

Directive Local Value Master Value
session.auto_start Off Off
session.bug_compat_42 On On
session.bug_compat_warn On On
session.cache_expire 180 180
session.cache_limiter nocache nocache
session.cookie_domain no value no value
session.cookie_lifetime 0 0
session.cookie_path / /
session.cookie_secure Off Off
session.entropy_file no value no value
session.entropy_length 0 0
session.gc_divisor 100 100
session.gc_maxlifetime 1440 1440
session.gc_probability 1 1
session.name PHPSESSID PHPSESSID
session.referer_check no value no value
session.save_handler files files
session.save_path /tmp /tmp
session.serialize_handler php php
session.use_cookies On On
session.use_only_cookies Off Off
session.use_trans_sid Off Off


Sorry about the formatting. Does anything here suggest that 1&1 simply won't let me do what I want? I notice that session.use_only_cookies is set to OFF, which seems like a good sign?

Would posting the code of my page be of any use, or would it just clutter up the board? I could also post a link to the page if that would help any.. perhaps seeing the output would be useful in diagnosis.

And, btw, did I think to say thank you for all the help??!!

Thanks,
Bob

aedrin
03-16-2007, 10:57 PM
session.use_trans_sid Off Off

This prevents it from working.

Sounds like if you want it on you will need to contact your host.

RTrev
03-16-2007, 11:22 PM
This prevents it from working.

Sounds like if you want it on you will need to contact your host.

Well, I'll do that, but perhaps in the meantime you folks could give me your take on whether I even need to establish a session for this.

I have found that spam bots are getting better and better at breaking "encoded" mailto: links on pages. I removed all of mine, and created a form a user can use if they want to initiate contact with me. It can *only* send mail to me, and nobody else. It offers them a spot to enter their name and email address, both optional, and a place to write their message to me. I remind them that if they want a reply then to remember to put in a working email address I can reply to.

My concern is abuse. What if somebody put in a bunch of messages using other people's email addresses? I'd end up sending unsolicited mail to each person.

I'm also wondering about malicious bots which could send me thousands of messages and basically put me into a DOS state, if not getting my account suspended altogether.

So I thought I should really have something like a CAPCHA on this page, or at least display say 8 random characters which had to be entered into a code field before each message was sent. Herein lies the problem. I need to store the code I gave them so that I have something to compare to once they've submitted the form. I can't do that without sessions.

Question: Am I being overly paranoid? Or is this a real concern? I don't think just bombarding me with email would be attractive to a bot, but who knows how the bot is programmed to operate?

Do I need this "feature" at all? If so, perhaps I could tell them to pick the 2nd, 3rd, and sixth letters from the site logo at the top of the page, and then just hard-code the "code" so that I wouldn't have to be storing anything created on the fly.

My guess is that calling 1&1 will net me a painful conversation with somebody who speaks a heavily-accented version of English, and who will make me hold for a half hour before telling me that they were told that it can't be changed. This has been my experience in the past when I tried to get them to update OpenSSL which is over FIVE years old and missing all the security fixes that were done in the intervening years. But I'll try it. I just wonder if I need it for this particular application? Thoughts?

Thanks,
Bob

Inigoesdr
03-17-2007, 12:07 AM
Question: Am I being overly paranoid? Or is this a real concern? I don't think just bombarding me with email would be attractive to a bot, but who knows how the bot is programmed to operate?
No, it's a legitimate concern.

Do I need this "feature" at all? If so, perhaps I could tell them to pick the 2nd, 3rd, and sixth letters from the site logo at the top of the page, and then just hard-code the "code" so that I wouldn't have to be storing anything created on the fly.
You could do something clever like that, or asking them a simple question that everyone should know(what's 4 - 2 + 1? or similar), or have a list of questions that change based on the day and some other semi-random factor, or manually change them every so often.

My guess is that calling 1&1 will net me a painful conversation with somebody who speaks a heavily-accented version of English, and who will make me hold for a half hour before telling me that they were told that it can't be changed. This has been my experience in the past when I tried to get them to update OpenSSL which is over FIVE years old and missing all the security fixes that were done in the intervening years. But I'll try it. I just wonder if I need it for this particular application? Thoughts?
OpenSSL for this? No, you shouldn't. It's a bit of overkill in this situation in my opinion.

RTrev
03-17-2007, 12:34 AM
No, it's a legitimate concern.

You could do something clever like that, or asking them a simple question that everyone should know(what's 4 - 2 + 1? or similar), or have a list of questions that change based on the day and some other semi-random factor, or manually change them every so often.

Yeah, maybe I'll do that until I can get an answer from 1&1. I just called, and their machine said they were so swamped with calls that it wouldn't even put me in a wait queue.. it just said to try some other time. Sigh.


OpenSSL for this? No, you shouldn't. It's a bit of overkill in this situation in my opinion.

No, I'm sorry.. I phrased my statement poorly. I was just using the OpenSSL example as the kind of response I expect to get when I broach *this* subject to them. The OpenSSL was for an unrelated project.

I could just manually change the code every so often, but all it takes is one bot a few minutes to wreak havoc.

Another option would be to simply tell them that the form only works if cookies are enabled. Now that seems bad.. they'll immediately begin wondering why I need a cookie if I promise I'm not storing anything about them.

What if I used the form action to append the code to the page during the submit, and then read it back with a GET after submission? All they would see in the URL would be somepage?code=whatever and they already know the whatever part, and it would change with each entrance to the page, so there might be an easy way to do this without any sessions at all?

I'll go and play for a while with this while waiting to see if 1&1 will ever accept my help call. :)

RTrev
03-17-2007, 02:35 AM
Well, it's working! Now I just have to pretty the page up a bit.. it looks kind of dumb the way it is now, because I "cleverly" centered everything.

I don't know if this is secure enough yet. Probably the suggestion of posing a question would be better than just presenting a code to type in or copy/paste in.

Are we allowed to post links to our pages here, if anyone feels inclined to look at it and see if they can offer suggestions for improvements? I saw in the rules that we can't post advertisements, but since I don't sell anything perhaps I could get away with giving a link? I'd better wait until I hear before I do.

Again, appreciate all of your help!!! This forum is super!

Bob

Inigoesdr
03-17-2007, 06:23 AM
Glad you got it working. Did you get through to 1and1?

Are we allowed to post links to our pages here, if anyone feels inclined to look at it and see if they can offer suggestions for improvements? I saw in the rules that we can't post advertisements, but since I don't sell anything perhaps I could get away with giving a link? I'd better wait until I hear before I do.
I don't think it will be a problem. It's not like you were posting "CLIK HEAR!!!! <link>."

RTrev
03-17-2007, 06:34 AM
Glad you got it working. Did you get through to 1and1?

No, I got too busy working on the code. :rolleyes: From the sounds of things, it would have been a long wait. I'll get in touch with them though, because session handling is too important, it seems, to not know how to do it right.


I don't think it will be a problem. It's not like you were posting "CLIK HEAR!!!! <link>."

Okay, anyone who is interested, the site is http://rtrev.com and if you click on the "Administrative Contact" link it will take you to the form page I've been tormenting you all about. :) Don't be gentle.. if you thinks it's crappy, please tell me. If you can think of a way it could be too easily exploited please feel free to try to do so. I'm in learning mode, as the bare, austere and simple nature of the test site will attest to more eloquently than I ever could in words! :)

Feel free also to send some notes, to test it out.

Thanks again!!

Inigoesdr
03-17-2007, 08:25 PM
You should show the code as an image. Otherwise it kinda defeats the purpose of having it. ;p

RTrev
03-17-2007, 08:31 PM
You should show the code as an image. Otherwise it kinda defeats the purpose of having it. ;p

Yeah, but there are a few problems there. One, I don't know how to do it yet. :) And two, I keep reading about Accessibility problems for people with various disabilities trying to deal with the distorted CAPTCHA images and even those which include audio.

I figured this would at least slow the abuse down a bit... while I study more about how to create images on the fly. As long as they can only send mail to me, and have to take a moment to figure out the code thing, might that not be sufficient to prevent most abuse?

Back to the books and Google about those images! :)

RTrev
03-21-2007, 01:09 PM
This prevents it from working.

Sounds like if you want it on you will need to contact your host.

Well, here's what my host, 1&1, said..


Those are just configurations that control how Sessions behave. He can
still use sessions using $_SESSION, etc. If those configurations are the
defaults, then SESSIONS would still work.

That was the extent of their advice, via email that I just received. I'm not sure who the "he" is they are referring to here, as it was my problem.. maybe they're quoting one of the tech gurus.

Okay, guess I need to look into $_SESSION more. Wish I were at home where I could play with this, but I'm at work running a help desk and typing here between calls. :-)

aedrin
03-21-2007, 02:53 PM
That was probably a direct forward ;)

Don't you love it how tech support for a paid service usually is worth nothing, unless you're paying them $100+ a month for it?

I had the exact same thing happen to me this week. So much for their reputation ;)

Anyway. All you can do is see whether it really isn't working when it should.

Use ini_set() to set the proper configuration value for session.use_trans_id. Then echo out the configuration with phpinfo(). See if that changed it. Then put a link on that page, turn off cookies and see whether it looks like: link.php?SID=WD90AOWIJD209832Q1, something like that anyway. ;)

RTrev
03-21-2007, 03:11 PM
That was probably a direct forward ;)

Don't you love it how tech support for a paid service usually is worth nothing, unless you're paying them $100+ a month for it?

More than I can possibly express. :(


I had the exact same thing happen to me this week. So much for their reputation ;)

I've heard various people say that 1&1 is pretty good for uptime, speed, general stability.. but if you need help, well, :rolleyes:


Anyway. All you can do is see whether it really isn't working when it should.

Use ini_set() to set the proper configuration value for session.use_trans_id. Then echo out the configuration with phpinfo(). See if that changed it. Then put a link on that page, turn off cookies and see whether it looks like: link.php?SID=WD90AOWIJD209832Q1, something like that anyway. ;)

Just to make sure I'm clear, that ini_set() should be placed as you already showed me above, right? Or perhaps I should put it directly in my PHP page also/instead?

I can't believe that they wouldn't support this, and their note makes it sound like they think they support it. I'll find out later tonight or tomorrow!

aedrin
03-21-2007, 03:17 PM
I'd hope they support this. Otherwise it is a pretty bad host. It's an important part of sessions. Not everyone wants to accept cookies.



ini_set('session.use_trans_id', true);
echo '<a href="test.php">Test Link</a>';
phpinfo();

RTrev
03-21-2007, 09:42 PM
Okay, I put in this code:



<?php

$sid = session_start();

ini_set('session.use_trans_id', true);

echo '<a href="http://rtrev.com/">Test Link</a>';

phpinfo();

?>

And I tried the link, I came back to the page, no matter what the phpinfo page still tells me that session.use_trans_id is OFF, for both "Local" and "Master."

I also tried it without assigning the $sid variable, same deal.

Oh, and I just checked.. it gave me a cookie.

Is this enough to tell us that it is clearly not being supported by the 1&1 servers?

RTrev
03-21-2007, 10:19 PM
Just as an addendum, I tried it without session_start(), and I tried it with cookies blocked in my browser. Nothing is appended to the URL lines. And the phpinfo page is unfailing in telling me the trans_id is turned off. :confused:

aedrin
03-21-2007, 11:00 PM
Yeah, I forgot the session_start() call. That's what I get for having it in some library file ;)

If you blocked cookies, and the URLs still didn't have the SID appended to it, then I'd like to say that it is the host's problem. But there could always be something simple that is missing. When trying with cookies disabled, make sure you close the browser before trying it again.

RTrev
03-21-2007, 11:21 PM
Yeah, I forgot the session_start() call. That's what I get for having it in some library file ;)

If you blocked cookies, and the URLs still didn't have the SID appended to it, then I'd like to say that it is the host's problem. But there could always be something simple that is missing. When trying with cookies disabled, make sure you close the browser before trying it again.

Okay, I blocked all cookies from my site, and that worked in that no cookie appeared. I deleted the one from the previous test, of course. Then closed the browser, re-opened it, and get the same exact thing.

I recall reading that the session_start() tag had to be the very first thing in the page, even before the html start tag, but I don't have any HTML in this test page.

I tried turning on the trans_id both before *and* after the call to start the session, made no difference. Nothing is being appended to my URLs. And, in the project in which sessions were working fine, they broke the second I blocked cookies. I was using the default settings as their tech support people said.

Time for a reply to that note I received, I guess? I'll even ask them for a small snippet of code that they say should work.

My last resort would be to simply tell visitors that they need to enable cookies to use a certain feature, etc., but I'd not like having to do that. I've so far gotten around this by *manually* appending something I need to the URL myself.. like a salt value that would later be extensively modified in the page.. and that works but it's a very tedious way to do it.. and I haven't had much luck with passing more than a single variable at a time.. and no arrays. Seems like a major kludge to me. But from the sound of their note they are *not* denying users the ability to use sessions without cookies.. at least not intentionally. They said it should work. Maybe if I can get the right tech on the phone we can figure out what's going on. My being a complete newbie at this doesn't help matters, of course. :rolleyes:

Thanks again for all your help, and I'll report back if I ever get a resolution to this one way or the other.

Bob

RTrev
03-22-2007, 12:01 AM
Okay, just one last test before I try and deal with the hosting service. Here is a code example:



<?php
session_start();
if(isset($_SESSION['views']))
$_SESSION['views'] = $_SESSION['views'] + 1;
else
$_SESSION['views'] = 1;

echo "views = ". $_SESSION['views'];
?>


If I run this page with cookies enabled, it works fine.. each time I refresh the page, the counter increments. Turn off cookies and it always says "views = 1" no matter how many refreshes. Nothing appended to the URL.

Is this a good clean example to give the folks at 1&1 and ask why this doesn't work?

p.s. The page can be accessed and tested at:

http://rtrev.com/test/session.php

RTrev
03-22-2007, 03:19 PM
Okay, here is what I got back from my more detailed inquiry into why the session-handling is not working as intended and as they had told me it should:



Dear Customer,

Thank you for contacting us.

I apologize for the delay.
Please be informed that we do not support scripting issues since we do
not have it.
I apologize however when it comes to scripting issues we have limited
knowledge in this part and I really cannot help you with this one.

If you have any further questions please do not hesitate to contact us.

--
Sincerely,
Jimm Marc Yap
Technical Support
1&1 Internet


Okay, looks like I'm totally on my own here. :rolleyes:

If this were you folks, would you escalate the call? Or would you just see about finding another host? I don't want to go through the hassles of changing, and 1&1 has been solid and fast and everything works fine *except* for this issue. So I'm hesitant to switch. But that note above has me close to reconsidering this.

I gave them the example code, and I asked them very nicely if they could examine my hosting setup and see if they could determine why it wasn't behaving the way they had previously suggested it should/would. I was very pleasant about it. This note back from them just blows my mind.

aedrin
03-22-2007, 04:14 PM
The script you provided is correct.

Their response is yet more pushing the ball back over the net. They'll probably keep at it until you give up.

I'd tell them it's not a scripting issue, but a server configuration issue.

A fast, stable host is worth nothing if there is no technical support. ;)


and that works but it's a very tedious way to do it.. and I haven't had much luck with passing more than a single variable at a time..

If you create all your URLs through a function, you can easily append the session ID yourself.

Then use session_id() to set the session ID, and everything should work as expected.

There's various hooks that allow you to create your own session system. You might want to also look into that just for an interesting read.

Inigoesdr
03-22-2007, 04:15 PM
Personally I don't switch hosts unless the problem was almost catastrophic, just because I hate switching hosts. But if you do switch, make sure you contact support for your prospective new host beforehand and ask them if they support the features you need.

firepages
03-22-2007, 05:00 PM
It's just something that I feel strongly about.. not doing anything on my site that requires the user to do anything that THEY might not want to do. And especially if it's just a kludge because I can't figure out how to do it right. Make scents?

I would be more worried about security than the (in this case) non-existent privacy issue... as has already been said ..


a session cookie simply stores a string representation of a session id
no session or other data is stored on the users computer so NO privacy issues


Using only session id's in urls increases the risk of session hijacking , unless you appreciate the hows and how-nots of this you are in fact putting your users at a greater (albeit small) risk in a misguided attempt to secure the their privacy which you are not even invading in the first place !

Your friend may have great ideals but unless you are abusing your users via cookies (which obviously you are not) then I do not see what the problem is with using them ? especially session cookies.

RTrev
03-22-2007, 05:03 PM
The script you provided is correct.

Their response is yet more pushing the ball back over the net. They'll probably keep at it until you give up.

I'll bet I can keep it up longer than they can. :D


I'd tell them it's not a scripting issue, but a server configuration issue.

I did, and I requested that they escalate the issue to some folks who handle the server configurations. I pointed out that such people had already replied in the series of email exchanges, and added that even if they weren't willing to help me out at least they should be made aware of the issue.


A fast, stable host is worth nothing if there is no technical support. ;)

Well, I'd be perfectly happy to let them provide the hardware and keep it running, and I'll find my answers elsewhere. But if the only answer is to change something that only they have control over, and they won't even talk to me about it, then it's time to up the ante a bit.



If you create all your URLs through a function, you can easily append the session ID yourself.

Then use session_id() to set the session ID, and everything should work as expected.

There's various hooks that allow you to create your own session system. You might want to also look into that just for an interesting read.

Ah, yes.. of course.. and I'd actually have a finer granularity in terms of when something needs to be passed and when I can just send a vanilla URL. That will be my project over the weekend.. write something and get it working using this approach. Thanks for the nudge!!

But I'm not letting 1&1 off the hook so easily. "We don't know anything about scripting because we don't have it" ?? ("And we're too lazy to go find someone who *can* answer your question" is the part that remained unsaid!)

RTrev
03-22-2007, 05:10 PM
Your friend may have great ideals but unless you are abusing your users via cookies (which obviously you are not) then I do not see what the problem is with using them ? especially session cookies.

Agree with most points, but my current concern is mostly that people who show up with a browser that's buttoned down tight and refusing to accept even first-party session cookies are going to find a broken site.. or at best a site which they can't take advantage of properly, or which tries to cajole them into accepting cookies even if they don't want to. So I want this to work without cookies. I do wish there were another way, though. It makes me almost want to implement a login id and store their session info in a table. That way nothing's in the URLs, but a lot of overhead with database access.

Hey, I thought doing websites was supposed to be easy. :D :D :D

aedrin
03-22-2007, 05:30 PM
It makes me almost want to implement a login id and store their session info in a table.

Even this requires the use of cookies/URL variables. ;) There is no other "proper" way of detecting if it is the same user or not.

firepages
03-22-2007, 05:31 PM
Hey, I thought doing websites was supposed to be easy. :D :D :D

It is, except for those end users who read the wrong articles written by `IT` journo's who do not understand their arse from their elbow, writing about AJAX and W2 on one hand then telling their readers to disable javascript and cookies on the other (and how cool this new thing called blogging is) , you can always tell them cos they have a 'podcast' coming out next week ;)

If a site requires cookies or session cookies for functionality and the user does not have them then redirect to a page explaining why they are required, your privacy policy and then leave it up to (their (hopefully) now educated) selves... in my experience though you are not going to get many hits on that page.

RTrev
03-22-2007, 05:35 PM
Even this requires the use of cookies/URL variables. ;) There is no other "proper" way of detecting if it is the same user or not.

I thought there were four ways of handling sessions? Cookies, URLs, memory, and flat files stored somewhere on the server but not in user/web space? It would appear that I have only cookies to work with.. which will influence a lot of design decisions down the road. What percentage of people would you guess surf with even first-party session cookies disabled? Probably not very many?

But, yes, as I think about it, even my database idea wouldn't work without further session support. Sigh. :rolleyes:

RTrev
03-22-2007, 05:44 PM
If a site requires cookies or session cookies for functionality and the user does not have them then redirect to a page explaining why they are required, your privacy policy and then leave it up to (their (hopefully) now educated) selves... in my experience though you are not going to get many hits on that page.

I guess that will be my next decision.. whether my site really will *require* sessions and hence cookies. Projects so far have allowed me to work around this need, but who knows what my next idea for a fun project will be. Your solution sounds like the best.. if I need them, use them, and explain why in a re-direct page. Sounds like the best overall compromise. Thanks!

aedrin
03-22-2007, 06:26 PM
What percentage of people would you guess surf with even first-party session cookies disabled? Probably not very many?

Very few, yes. Only those who are so uppity on privacy that they probably shouldn't even visit your page. ;)


I thought there were four ways of handling sessions?

Only two which you mentioned are, Cookies and URL variables. There might be some more odd approaches to this out there, but that'd require some research. (I can't imagine any more).

The difference is in which part of sessions. Cookies and URL variables handle the linking of a request to a specific user's session.

Memory, flat files and databases handle the storage of the data contained in the session.

Inigoesdr
03-22-2007, 07:28 PM
It's just something that I feel strongly about.. not doing anything on my site that requires the user to do anything that THEY might not want to do. And especially if it's just a kludge because I can't figure out how to do it right. Make scents?
I would be more worried about security than the (in this case) non-existent privacy issue... as has already been said ..


a session cookie simply stores a string representation of a session id
no session or other data is stored on the users computer so NO privacy issues


Using only session id's in urls increases the risk of session hijacking , unless you appreciate the hows and how-nots of this you are in fact putting your users at a greater (albeit small) risk in a misguided attempt to secure the their privacy which you are not even invading in the first place !

Your friend may have great ideals but unless you are abusing your users via cookies (which obviously you are not) then I do not see what the problem is with using them ? especially session cookies.

That's not one of my quotes. :D

firepages
03-23-2007, 12:38 AM
That's not one of my quotes. :D

lol sorry , 'twas RTrev's, not sure how I managed that, will fix.

RTrev
03-23-2007, 01:08 PM
lol sorry , 'twas RTrev's, not sure how I managed that, will fix.

I might have been my fault.. with my snipping and copying and pasting and whatnot, trying to get a properly interspersed set of quote/reply sets. Sorry, if so.

One last thought to inject into this thead.. which is to ask if most people would normally begin their session as soon as the user hits their site, or would you wait until they hit a page which actually *requires* the session cookie?

I'm leaning toward starting the session in my opening page, and doing it all with a simple include file in each page. The include would just be coded to do the session_start() and, now that I've thought about this some more, perhaps even to set the use_only_cookies option just to make sure nothing ever does inadvertently appear in the URL (for example if 1&1 changed some config files someday.)

So, the second someone hits my site, no matter what page they land on, a session cookie would be set.. and I'll have to find some way to make sure it actually succeeded.

I'll write a small article on what I've learned here and redirect them to my little article if I can't set my session cookie. Is it okay to link to this site from my article, or perhaps even to this thread?

I'll also stress to them that what they really want to turn off is not cookies in general, but *third-party* cookies, which unfortunately in Firefox 2.x became a bit harder to do.

I'll explain the need for maintaining "state" during a session, how this seems to be the cleanest and best and most secure way to do it, and how the session cookie will disappear on the next browser startup.

As an aside, my wife set up an Ubuntu LAMP server on an old box so I could experiment more, and the default settings on that turned out to be precisely what I'm finding on 1&1. I cannot turn on trans_id no matter what I do. She didn't go in and tweak or change anything.

Still haven't heard back from 1&1 yet, but then they already have my money so perhaps there is no incentive to actually try to help. :rolleyes:

Thanks for helping to begin the education of this newbie!! ;)

Bob

aedrin
03-23-2007, 05:11 PM
which is to ask if most people would normally begin their session as soon as the user hits their site, or would you wait until they hit a page which actually *requires* the session cookie?

I usually do it on every page. It's not really that much overhead (and I don't deal with sites that get 1000+ visitors an hour). It also saves some coding headaches since I don't have to check on each page whether it's there or not. And the potential of it breaking. The default works good ;)


As an aside, my wife set up an Ubuntu LAMP server on an old box so I could experiment more, and the default settings on that turned out to be precisely what I'm finding on 1&1. I cannot turn on trans_id no matter what I do. She didn't go in and tweak or change anything.

That's interesting. I never turn off first party cookies, so I've never actually seen it break. I'm curious to know if this is a bug or not. There's no reason that use_trans_id shouldn't work.

Inigoesdr
03-23-2007, 05:28 PM
I don't think it's a bug, I set these in my php.ini:

session.use_cookies = 0
session.use_trans_sid = 1
session.use_only_cookies = 0
And the session ID was automatically appended to my URLs in testing. But I used PHP 5.2.0, the version they tried was probably different.

RTrev
03-23-2007, 06:20 PM
I don't think it's a bug, I set these in my php.ini:

session.use_cookies = 0
session.use_trans_sid = 1
session.use_only_cookies = 0
And the session ID was automatically appended to my URLs in testing. But I used PHP 5.2.0, the version they tried was probably different.

If I put my own php.ini file in (it's a shared hosting arrangement) it does nothing with the code you specify. If I try to put similar code in the .htaccess file, I get a 500 error. If I include the code in my actual PHP pages, it's ignored.. except that I can turn on or off the use_only_cookies flag.

All of this tells me that they must have allowed us to turn on certain things and trying to override their settings for other things is not allowed. The puzzling thing is that 1&1 told me the trans_id should work by default if cookies weren't available.. and it doesn't.. the page simply breaks.

Ah well. I'll explore more options now that we have our own server, and see if I can find out what's going on.

Thanks,
Bob



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum