Go Back   CodingForums.com > :: Server side development > PHP
Reload this Page session variables with cookies switched off

Before you post, read our: Rules & Posting Guidelines

Reply
 
Thread Tools Rate Thread
Enjoy an ad free experience by logging in. Not a member yet? Register.
Old 06-19-2005, 07:41 PM   PM User | #1
mat106
New Coder

 
Join Date: Jun 2004
Posts: 51
Thanks: 0
Thanked 0 Times in 0 Posts
mat106 is an unknown quantity at this point
session variables with cookies switched off
Hi,

I've read on many sites that PHP sessions will work even when the user has cookies disabled but for some reason my scripts (included below) need cookies to be enabled. Can someone see why? Thanks.

login.php
PHP Code:
<?php
session_start();
 if (isset($_POST["user"]) && isset($_POST["pass"]))
    {
    if  ($_POST["user"] === "username" && $_POST["pass"] === "password")
        {
        session_register("authorised");
        $HTTP_SESSION_VARS["authorised"] = true;

        header ("Location: main.php");
        }
    else
        {
        $errormessage "Wrong username and/or password! Please try again.";
        }
    }
?>
...Login form goes here...
main.php
PHP Code:
<?php
session_start();
if (!isset($HTTP_SESSION_VARS["authorised"]) || $HTTP_SESSION_VARS["authorised"] !== true)
    {
    header('Location: login.php');
    }
?>
...Logged in content goes here...
The following line are from the output of phpinfo() so i don't think php configuration is the problem

Quote:
session.use_cookies Local Value:On Master Value:On
session.use_only_cookies Local Value:Off Master Value:Off
session.use_trans_sid Local Value:Off Master Value:Off
Last edited by mat106; 06-19-2005 at 08:49 PM..
mat106 is offline   Reply With Quote
Old 06-19-2005, 10:33 PM   PM User | #2
raf
Master Coder


 
Join Date: Jul 2002
Posts: 6,589
Thanks: 0
Thanked 0 Times in 0 Posts
raf will become famous soon enoughraf will become famous soon enough
if the client doens't accept cookies, then the sessionID is propagated through the querystring. this means that there is a variable_value pair on each querystring like sid=sdf5sdf45sdf445sdf

this sessionID is automatically added to each link (in the querystring) + each form (as a hidden formfield) on each page that is sent to the client.
now, you are redirecting the client with
PHP Code:
header ("Location: main.php"); 
so the sessionID get's lost since it's not added to the new locations adress.
to propagate the sessionID, add it like this
PHP Code:
header ("Location: main.php?" SID); 
__________________
Posting guidelines I use to see if I will spend time to answer your question : http://www.catb.org/~esr/faqs/smart-questions.html
raf is offline   Reply With Quote
Old 06-19-2005, 11:00 PM   PM User | #3
mat106
New Coder

 
Join Date: Jun 2004
Posts: 51
Thanks: 0
Thanked 0 Times in 0 Posts
mat106 is an unknown quantity at this point
Thanks ref. Furthermore, for anyone interested, this quote is from http://uk2.php.net/session
Quote:
The strip_tags() is used when printing the SID in order to prevent XSS related attacks.

Printing the SID is not necessary if --enable-trans-sid was used to compile PHP.
and the host must have session.use_cookies enabled, session.use_only_cookies disabled and session.use_trans_sid enabled if SID is not to be used.

The following now works perfectly fine:
PHP Code:
...
$HTTP_SESSION_VARS["authorised"] = true;
$id strip_tags(SID);
header ("Location: main.php?$id");
... 
mat106 is offline   Reply With Quote
Reply

Bookmarks

Jump To Top of Thread


« Previous Thread | Next Thread »
Thread Tools
Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT +1. The time now is 09:58 PM.
Advertisement
Log in to turn off these ads.