06-11-2005, 05:52 PM
06-11-2005, 08:13 PM
That is true, without users cookies being on it will pass via a session hash in the url instead. You can do this two ways, either by adding a sessionid to your links, or by enabling session.use_trans_sid either via php.ini or ini_set() function.
If you are going to allow such a use though, you need to impliment some security to check the session each time its being accessed, simple things would be great, ipaddress, useragent etc. Check these and compare to whats within a session, and your good to go.
06-11-2005, 11:07 PM
So using the cookie technique is better? Also, still looking for where these are stored, they are not in the place I mentioned in first post. Tony.
06-11-2005, 11:27 PM
06-11-2005, 11:44 PM
Yes, I understand how the session cookie thing works. But what I don't know is:
Where are these cookies stored on the client's machine. In my testing it is NOT under "Documents and Settings/me/cookies", where I would expect it to be. Where is it? (trying hard to get that answer but no one reads my questions it appears)
Secondly, because of the two options of cookies or url, what does everyone do? Tell me, do you use the cookie feature only, or the other? If you use just the normal cookie thing, then what you do about people with cookies turned off (if anything)? Everyone, please let me know what you do!!! (thanks in advance)
06-12-2005, 01:57 AM
Can anyone answer the first question, where?
Also, please let me know what everyone is doing, choice wise.
06-12-2005, 05:13 AM
06-12-2005, 06:30 AM
Anyone's help would be appreciated.
06-12-2005, 09:10 AM
3 bumps in 5 hours?
06-12-2005, 02:35 PM
If you set session.use_cookies to on and session.use_only_cookies to off then PHP will try to decide which method to use. If cookies are available it will use them, if not it will use url sessions so you don't have to worry about choosing one or the other method you can just let PHP choose the appropriate method for you.
If security is reasonably important then just advise your users that cookies will ensre their security and they should refuse the cookie at their own risk. If security is paramount then enable session.use_only_cookies and inform your users that they must accept the cookie. Using SSL will further help to maintain your security.
As to which I would choose, it really all depends on the application I'm writing. For instance, a secure area for clients to upload their personal files would need fairly decent security, an e-commerce site would need even greater security, but a site that just uses sessions to determine which style-sheet I present to the user wouldn't need any kind of security.
As for your first question, I'm not entirely sure where this defaults to, but why does that matter? Also the answer would vary greatly depending on which operating system you're using or how you have it configured. If you don't see a PHPSESSID in the url when you refresh your page but the sessions still work then you know the cookie is working. As wickedjester has already said, nothing important is stored in the session cookie on the client machine so you don't have to worry that the user's details are in there, it's just a pointer telling the server where to look for the relevant information.