It depends on whether PHP was compiled with the -enable-trans-sid option set. This option is disabled by default in PHP4, not sure about other versions.

You can ensure that the session ID is always passed, whether the user's browser will accept cookies or not by appending the session ID to the link eg

<a href="nextpage.php?<?php print SID;?>">Next Page</a>

Yes, it was compiled with the --enable-trans-sid option set. And it does definitely work for me when I turn off cookies so I know the rewriting bit is working.

I take your point about forcing the SID to be appended to each link, but I only want to go down that route as a last resort (it would involve a lot of amendments, and it doesn't look as 'neat').

Are you using relative URLs? Non relative URLs are assumed to point to external sites and the session ID is not appended.

Hadn't thought of that.

All my links are prefixed with "/" (root) as they are in an include file which is included from various subfolders (so "../" wouldn't work).

Example: href="/somepage.php"

Is that still classes as relative? I guess it is. I certainly don't have links beginning http://

And besides, the point I keep coming back to is that it works fine for me when I turn off cookies, which I think implies that it must be some configuration at the client end rather than server end.

I use sessions, enable trans id and both relative and absolute paths and they all work fine.

The problem is probably something else. The cookies off is the first clue but there must be some other common element between them.

Are the sesions being started properly? Have you looked at how you are testing if they are logged in?

When a user successfully logs in, I call:

session_register("mymember");

At the top of each subsequent page I have:

$mymember="";
session_start();

I then do the following to check if logged in:

if (!$mymember) {
// display error message and die
}

Does anyone have any other ideas on this one?

If you have register globals off (default in >= 4.2) you'll need to replace mymember with $_POST['mymeber'], and there shouldn't be quotes around it when you register it AFAIK.

Try echoing the value of $mymember at the top of each page (if necessary, stick it inside an HMTL comment) so you can track it's value.

Allen

I'm using PHP 4.1.2 and register_globals is ON.

I have echo'd $mymember and it shows fine.

The thing that's puzzling me is that it all works fine for me and 99% of my users. I can log in and navigate around without any problems. It even continues to work fine when I turn cookies off.

But there is a small number of new members each week who mail me to say they experience this problem. This is what leads me to believe it has to be some configuration at the client-end, but it's really got me stumped.

I would agree strongly with Paul (in South Africa) about ensuring the string is ALWAYS passed, therefor avoiding the problems with cookies.

noSanity

So is that the way a lot of session-based PHP sites are written - with the SID explicitly appended to the links?

Seems to make the built-in session-handling stuff that comes with PHP redundant!

I'll give it a go though and see what happens.

Well, the problem isn't how PHP handles sessions. It is a problem with how people are handling cookies. For example, if their date is earlier than the servers date, the cookie will automatically expire... this may be the problem you are experiencing. If you run the server, you could just set the date back 5 minutes or so and see if that fixes the problem.

noSanity

(note: that is only 1 of many possible cookie problems that exist)

Well, I know I keep making the same point here, but if it's a problem with peoples' cookies (which I can quite understand) then surely PHP should seamlessly switch to URL-rewriting?

That's what I don't understand. Why should I have to explicitly append a session ID to every single link and include it as a hidden field in every single form, when PHP is supposed to handle that for me?

And indeed, when I turn off cookies on my browser, PHP does handle it for me and starts putting the session ID on each URL automatically. Why is this apparently not happening for everyone with cookie problems - that's my real question.

Thanks for your help so far though! :-)

For example, if their date is earlier than the servers date, the cookie will automatically expire...

Ehm, that can't be right? Then they would expire for anyone who live in a different time zone! Or, what about those that live in areas where they use a different calendar than we do (like muslim countries, or China)

Well, the cookie is set for 1 timezone, eg: GMT, and the computer is set for another, eg: PST (-8 hours). The computer makes up for the difference automatically.

noSanity

After a great deal of head-scratching, I've finally realised what is causing my sessions to fail.

When cookies are disabled, PHP does do its URL-rewriting stuff for all links and forms on my pages. But I also use a nice drop-down javascript-based menu system. And the links embedded within that code are not re-written. This explains why I couldn't replicate my users' problems - they were using the javascript menu, while I was clicking on the alternative text links.

So now I know what's causing it, I'm faced with figuring out how to get the session ID appended to the links in the javascript code. I've tried using PHP tags and echoing out the PHPSESSID but that didn't seem to work. I've even renamed the javascript file to a .PHP extension, but that made no difference.

Any ideas?

But, how does that affect session cookies? A session is time-independent, right?

(response to nosanity's post)

[edited by: DrDoc at 9:38 pm (utc) on Mar. 15, 2003]

instead of

blah.html

make the link

blah.html?<?php echo SID?>

The url_rewriter.tags [php.net] directive lets you specify element name and attribute that should be rewritten to include the session id.

php_value url_rewriter.tags [php.net] "option [w3.org]=value [w3.org]" will rewrite any URL contained within the value (option) [w3.org] attribute of an option [w3.org] element.

HTH Andreas

DrDoc,

Yeah, I think all last week my mind has been on loan to somebody else. Come to think of it, I have been way off base almost every night on at least 1 topic. Argh, too much Tequilla.

noSanity