| Re: Overriding PHP INI Setting session.use_trans_sid=0 [message #178284 is a reply to message #178281] |
Sat, 26 May 2012 23:05  |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma:
|
Senior Member |
|
|
On 5/26/2012 5:59 PM, Robert Rosenberg wrote:
> My Hosting Service has the following PHP settings [per phpinfo():]
>
> session.use_cookies On On
> session.use_only_cookies Off Off
> session.use_trans_sid 0 0
>
> This means that while my Session ID is stored in a cookie it will not be
> automatically appended to my "a href" URLs when clicked. I am dealing with
> some paranoid users who may have turned off cookie support or who monitor
> cookie usage and reject some cookies or domains (I will not even get into
> those who have "protected themselves" by turned off JavaScript<g>).
>
> Thus I need to be able to compensate for their refusal to accept the
> automatic cookie used by Sessions Support to pass the Session Id back to the
> scripts when they start by having PHP append a "?PHPSESSID = ..." to my
> URLs.
>
> This requires that session.use_trans_sid=1 (which I am attempting to do via
> these commands at the top of my pages):
>
> <?php
> ini_set('session.use_only_cookies',0);
> ini_set('session.use_trans_sid',1);
> session_start();
> ?>
>
> The ?PHPSESSID = is not showing up when I use a x.php link on my pages. The
> location bar when I click the link is just x.php. While I can force the
> needed parm by hard coding the ?PHPSESSID = in my links, I would rather go
> the automatic route.
>
> I need sessions so that I can have restricted pages/areas which are only
> viewable by those who have logged and and have the requite viewing
> authority. All others when attempting to view the pages will get a "Please
> Login to view this page/area" notification (and a link to the Login Page) if
> not logged in or a "You Are Not Authorized to view this Page/Area"
> notification if logged in but not authorized.
>
> I can post my testing code (for forcing the URL) if that will help diagnose
> my problem.
>
> Thank You.
>
Security and PHPSESSID don't go well together. That's why most sites
just say up from that cookies are required to use some features of the
site. If the user doesn't want to use cookies, then they can't use
those features of the site. And personally, I really don't think these
days it's bad to require cookies for some features. It's good to be
careful, but you can also be paranoid.
But if you insist - you also need to ensure url_rewriter.tags is set to
the appropriate value (it may have been changed from the default).
Also, there have been some bugs in this area, depending on your php
version. But 38422 indicates you can't change the value with ini_set()
between versions 4.2.3 and 5.0; no word about later versions. This can
be handled by setting the value in your .htaccess file if allowed (most
Apache hosts will allow this - and it's better than doing it in each php
file).
There's also a recent bug (#61565, still open) which indicates you must
have session.use_cookie=off to make the trans_sid work. I don't know
whether it will affect you or not.
Hope this helps.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]