| Re: Overriding PHP INI Setting session.use_trans_sid=0 [message #178283 is a reply to message #178281] |
Sat, 26 May 2012 23:00   |
Thomas 'PointedEars'
Messages: 701
Registered: October 2010
Karma:
|
Senior Member |
|
|
Robert Rosenberg wrote:
> My Hosting Service has the following PHP settings [per phpinfo():]
>
> session.use_cookies On On
> session.use_only_cookies Off Off
> session.use_trans_sid 0 0
>
> This means that while my Session ID is stored in a cookie it will not be
> automatically appended to my "a href" URLs when clicked.
And that is good so.
> I am dealing with some paranoid users who may have turned off cookie
> support or who monitor cookie usage and reject some cookies or domains (I
> will not even get into those who have "protected themselves" by turned off
> JavaScript <g>).
>
> Thus I need to be able to compensate for their refusal to accept the
> automatic cookie used by Sessions Support to pass the Session Id back to
> the scripts when they start by having PHP append a "?PHPSESSID = ..." to
> my URLs.
You cannot solve social problems with technology alone. The users need
to be educated, and their systems configured, to accept these cookies if
they want to use your application. In fact, if your session cookie is a
non-persistent cookie (that which browser vendors call a "session cookie"),
nobody sane should have any problem with setting it (of course, paranoia is
a form of insanity per ICD-10, but I assume you meant that rather jokingly).
You should use session_set_cookie_params() to achieve that if you cannot set
the session.* configuration settings in php.ini:
<http://php.net/use_only_cookies>
<http://php.net/manual/en/session.configuration.php>
Appending the session ID to the URI of requests instead, would create a
security hole in your application as sessions could be rather easily
hijacked by an attacker, not only it would be transferred verbatim, it would
also be stored in the user's browser history. Surely especially "paranoid"
users can understand the associated risks.
<https://www.owasp.org/index.php/Session_Management_Cheat_Sheet>
> This requires that session.use_trans_sid=1 (which I am attempting to do
> via these commands at the top of my pages):
>
> <?php
> ini_set('session.use_only_cookies',0);
> ini_set('session.use_trans_sid',1);
Since those settings are PHP_INI_ALL-changeable, this should work, although
it is definitely inadvisable.
<http://php.net/manual/en/session.configuration.php#ini.session.use-only-
cookies>
<http://php.net/manual/en/session.configuration.php#ini.session.use-trans-
sis>
> session_start();
> ?>
>
> The ?PHPSESSID = is not showing up when I use a x.php link on my pages.
And that is good so.
> The location bar when I click the link is just x.php.
That does not mean anything, redirection may have taken place in the
meantime. What matters is what the initial request looks like, primarily
what the `href' attribute value looks like.
> While I can force the needed parm by hard coding the ?PHPSESSID = in my
> links,
… which would be a stupid idea …
> I would rather go the automatic route.
You should not follow your approach any further.
PointedEars
--
When all you know is jQuery, every problem looks $(olvable).
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]