Hi,

I understand that session_start() shows the session id only on the first page of the visit. Every subsequent page is stripped of the session id number.

Is this correct? If not, what is the way to achieve the above?

DH

When you create a session on a page it'll be passed to every page that linked from the original page if you use session_start at the top of all the pages.

So basically if you want to use some session variables across pages, make sure you use session_start at the top of all pages.

whether or not the session ID is appended to your links depends on your PHP configuration and whether or not the user accepts cookies or not

If the users browser accepts cookies then yes only the first page should show the session ID subsequent pages should rely on cookie data.

Hey hey, now I think I can understand! Once I asked ya (firepages) what's a secure way of writing an authentication script. And you said you should session a registered user and then in the following pages, not only check for the session variable (that says the user really registered), but also check for his IP. So, I really couldn't understand how a user might get someone elses session id, but now that you are saying, I'm thinking of a person passing someone else's computer, seeing the session ID on his/her monitor and then entering it himself/herself, is that right? So, we check for the IP because of that? If yes, what about a lan? Ppl working in a lan might have the same IP, so, they can still each other IDs, huh?

Originally posted by ConfusedOfLife
I'm thinking of a person passing someone else's computer, seeing the session ID on his/her monitor and then entering it himself/herself, is that right? So, we check for the IP because of that? If yes, what about a lan? Ppl working in a lan might have the same IP, so, they can still each other IDs, huh?

They can if they have excellent memory...
Can you remember this id 0023882b635963f7997899ea0b4757b4 ? ;)
And there is no ultimate protection, you know. Each authorization system could be broken, it's only a matter of time and efforts required. But sessids in conjunction with ip check provides sufficient level of protection in most cases.

..its also quite easy to fake an IP so its no more than a bit of extra security , shared computers , networks etc will always introduce extra security concerns, again it depends on the scope and value of your application data as to whether its worth going any further.

Originally posted by firepages
..its also quite easy to fake an IP so its no more than a bit of extra security , shared computers , networks etc will always introduce extra security concerns, again it depends on the scope and value of your application data as to whether its worth going any further.

Thank you for your help (both of you!), but how can I go further? I don't know that much about security, and I don't know anything about networking! I know that it sux, but well, I can't think of any further way.

Hi,

in addition to that I would like to ask you if you need this much of security? Are you developing a online brokerage site or just a community?

Sure, security is important, but in general a PHP session is security enough if you don't handle very important data on your page...

Cheers

just out of interest, can PHP be used to creat proper 28 bit secure pages? you know the type, with the little padlock on the corner.

You are thinking of ssl which creates 128bit.

SSL basically scrambles the data as it is being sent across the internet so that if anybody were to tap in and view it, the info is worthless.

Originally posted by CalypsoClub
Hi,

in addition to that I would like to ask you if you need this much of security? Are you developing a online brokerage site or just a community?

Sure, security is important, but in general a PHP session is security enough if you don't handle very important data on your page...

Cheers

No, not yet! I'm just curious, I wana know my options. For example for a forum like here, are IP detection and sessioning enough?