Sessions and Cookies

Forum Moderators: coopster

Message Too Old, No Replies

Sessions and Cookies

blaketar

7:14 pm on Sep 23, 2004 (gmt 0)

Have a question about the mixture of Session data and cookies.

Currently my php.ini file is session.use_cookies = On and I need to maintain session data accross pages. If I was to turn this off so that clients did not receive a cookie from my site would the session data still be saved, only this time on the server "/tmp" instead of a cookie or do I NEED to have a cookie set.

jamie

7:34 pm on Sep 23, 2004 (gmt 0)

hi blaketar,

afaik session data is always saved on the server and not in a cookie.

the only reason for using a cookie is to store the SESSION ID. if cookies are not used then the SESSION ID is appended to each url - resulting in rather unsightly urls such as /page.php?sessionid=s5fd4rithfkreuiiehidh5764856r7tyr654

hth

Timotheos

7:40 pm on Sep 23, 2004 (gmt 0)

Putting the ID in the url also makes it more susceptible to hijacking. See the manual on sessions [php.net] for more.

jatar_k

10:10 pm on Sep 23, 2004 (gmt 0)

>> makes it more susceptible to hijacking

cross your session id's with ip's and you are pretty solid

blaketar

10:18 pm on Sep 23, 2004 (gmt 0)

This was my direct worry, having the session id string appended to the link and URL. Any other solutions available.

I have some people which cannot login to their account because their cookie support has been turned off. My login uses sessions to track throughout the login as well. They login ok, but when they click on a link in the login section they return back to the login screen.