...

View Full Version : session variables with cookies switched off



mat106
06-19-2005, 07:41 PM
Hi,

I've read on many sites that PHP sessions will work even when the user has cookies disabled but for some reason my scripts (included below) need cookies to be enabled. Can someone see why? Thanks.

login.php

<?php
session_start();
if (isset($_POST["user"]) && isset($_POST["pass"]))
{
if ($_POST["user"] === "username" && $_POST["pass"] === "password")
{
session_register("authorised");
$HTTP_SESSION_VARS["authorised"] = true;

header ("Location: main.php");
}
else
{
$errormessage = "Wrong username and/or password! Please try again.";
}
}
?>
...Login form goes here...

main.php

<?php
session_start();
if (!isset($HTTP_SESSION_VARS["authorised"]) || $HTTP_SESSION_VARS["authorised"] !== true)
{
header('Location: login.php');
}
?>
...Logged in content goes here...

The following line are from the output of phpinfo() so i don't think php configuration is the problem


session.use_cookies Local Value:On Master Value:On
session.use_only_cookies Local Value:Off Master Value:Off
session.use_trans_sid Local Value:Off Master Value:Off

raf
06-19-2005, 10:33 PM
if the client doens't accept cookies, then the sessionID is propagated through the querystring. this means that there is a variable_value pair on each querystring like sid=sdf5sdf45sdf445sdf

this sessionID is automatically added to each link (in the querystring) + each form (as a hidden formfield) on each page that is sent to the client.
now, you are redirecting the client with


header ("Location: main.php");

so the sessionID get's lost since it's not added to the new locations adress.
to propagate the sessionID, add it like this


header ("Location: main.php?" . SID);

mat106
06-19-2005, 11:00 PM
Thanks ref. Furthermore, for anyone interested, this quote is from http://uk2.php.net/session

The strip_tags() is used when printing the SID in order to prevent XSS related attacks.

Printing the SID is not necessary if --enable-trans-sid was used to compile PHP. and the host must have session.use_cookies enabled, session.use_only_cookies disabled and session.use_trans_sid enabled if SID is not to be used.

The following now works perfectly fine:

...
$HTTP_SESSION_VARS["authorised"] = true;
$id = strip_tags(SID);
header ("Location: main.php?$id");
...



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum