| Overriding PHP INI Setting session.use_trans_sid=0 [message #178281] |
Sat, 26 May 2012 21:59  |
Robert Rosenberg
Messages: 6
Registered: May 2012
Karma: 0
|
Junior Member |
|
|
My Hosting Service has the following PHP settings [per phpinfo():]
session.use_cookies On On
session.use_only_cookies Off Off
session.use_trans_sid 0 0
This means that while my Session ID is stored in a cookie it will not be
automatically appended to my "a href" URLs when clicked. I am dealing with
some paranoid users who may have turned off cookie support or who monitor
cookie usage and reject some cookies or domains (I will not even get into
those who have "protected themselves" by turned off JavaScript <g>).
Thus I need to be able to compensate for their refusal to accept the
automatic cookie used by Sessions Support to pass the Session Id back to the
scripts when they start by having PHP append a "?PHPSESSID = ..." to my
URLs.
This requires that session.use_trans_sid=1 (which I am attempting to do via
these commands at the top of my pages):
<?php
ini_set('session.use_only_cookies',0);
ini_set('session.use_trans_sid',1);
session_start();
?>
The ?PHPSESSID = is not showing up when I use a x.php link on my pages. The
location bar when I click the link is just x.php. While I can force the
needed parm by hard coding the ?PHPSESSID = in my links, I would rather go
the automatic route.
I need sessions so that I can have restricted pages/areas which are only
viewable by those who have logged and and have the requite viewing
authority. All others when attempting to view the pages will get a "Please
Login to view this page/area" notification (and a link to the Login Page) if
not logged in or a "You Are Not Authorized to view this Page/Area"
notification if logged in but not authorized.
I can post my testing code (for forcing the URL) if that will help diagnose
my problem.
Thank You.
|
|
|
|
| Re: Overriding PHP INI Setting session.use_trans_sid=0 [message #178283 is a reply to message #178281] |
Sat, 26 May 2012 23:00  |
Thomas 'PointedEars'
Messages: 701
Registered: October 2010
Karma: 0
|
Senior Member |
|
|
Robert Rosenberg wrote:
> My Hosting Service has the following PHP settings [per phpinfo():]
>
> session.use_cookies On On
> session.use_only_cookies Off Off
> session.use_trans_sid 0 0
>
> This means that while my Session ID is stored in a cookie it will not be
> automatically appended to my "a href" URLs when clicked.
And that is good so.
> I am dealing with some paranoid users who may have turned off cookie
> support or who monitor cookie usage and reject some cookies or domains (I
> will not even get into those who have "protected themselves" by turned off
> JavaScript <g>).
>
> Thus I need to be able to compensate for their refusal to accept the
> automatic cookie used by Sessions Support to pass the Session Id back to
> the scripts when they start by having PHP append a "?PHPSESSID = ..." to
> my URLs.
You cannot solve social problems with technology alone. The users need
to be educated, and their systems configured, to accept these cookies if
they want to use your application. In fact, if your session cookie is a
non-persistent cookie (that which browser vendors call a "session cookie"),
nobody sane should have any problem with setting it (of course, paranoia is
a form of insanity per ICD-10, but I assume you meant that rather jokingly).
You should use session_set_cookie_params() to achieve that if you cannot set
the session.* configuration settings in php.ini:
<http://php.net/use_only_cookies>
<http://php.net/manual/en/session.configuration.php>
Appending the session ID to the URI of requests instead, would create a
security hole in your application as sessions could be rather easily
hijacked by an attacker, not only it would be transferred verbatim, it would
also be stored in the user's browser history. Surely especially "paranoid"
users can understand the associated risks.
<https://www.owasp.org/index.php/Session_Management_Cheat_Sheet>
> This requires that session.use_trans_sid=1 (which I am attempting to do
> via these commands at the top of my pages):
>
> <?php
> ini_set('session.use_only_cookies',0);
> ini_set('session.use_trans_sid',1);
Since those settings are PHP_INI_ALL-changeable, this should work, although
it is definitely inadvisable.
<http://php.net/manual/en/session.configuration.php#ini.session.use-only-
cookies>
<http://php.net/manual/en/session.configuration.php#ini.session.use-trans-
sis>
> session_start();
> ?>
>
> The ?PHPSESSID = is not showing up when I use a x.php link on my pages.
And that is good so.
> The location bar when I click the link is just x.php.
That does not mean anything, redirection may have taken place in the
meantime. What matters is what the initial request looks like, primarily
what the `href' attribute value looks like.
> While I can force the needed parm by hard coding the ?PHPSESSID = in my
> links,
… which would be a stupid idea …
> I would rather go the automatic route.
You should not follow your approach any further.
PointedEars
--
When all you know is jQuery, every problem looks $(olvable).
|
|
|
|
| Re: Overriding PHP INI Setting session.use_trans_sid=0 [message #178284 is a reply to message #178281] |
Sat, 26 May 2012 23:05 |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 5/26/2012 5:59 PM, Robert Rosenberg wrote:
> My Hosting Service has the following PHP settings [per phpinfo():]
>
> session.use_cookies On On
> session.use_only_cookies Off Off
> session.use_trans_sid 0 0
>
> This means that while my Session ID is stored in a cookie it will not be
> automatically appended to my "a href" URLs when clicked. I am dealing with
> some paranoid users who may have turned off cookie support or who monitor
> cookie usage and reject some cookies or domains (I will not even get into
> those who have "protected themselves" by turned off JavaScript<g>).
>
> Thus I need to be able to compensate for their refusal to accept the
> automatic cookie used by Sessions Support to pass the Session Id back to the
> scripts when they start by having PHP append a "?PHPSESSID = ..." to my
> URLs.
>
> This requires that session.use_trans_sid=1 (which I am attempting to do via
> these commands at the top of my pages):
>
> <?php
> ini_set('session.use_only_cookies',0);
> ini_set('session.use_trans_sid',1);
> session_start();
> ?>
>
> The ?PHPSESSID = is not showing up when I use a x.php link on my pages. The
> location bar when I click the link is just x.php. While I can force the
> needed parm by hard coding the ?PHPSESSID = in my links, I would rather go
> the automatic route.
>
> I need sessions so that I can have restricted pages/areas which are only
> viewable by those who have logged and and have the requite viewing
> authority. All others when attempting to view the pages will get a "Please
> Login to view this page/area" notification (and a link to the Login Page) if
> not logged in or a "You Are Not Authorized to view this Page/Area"
> notification if logged in but not authorized.
>
> I can post my testing code (for forcing the URL) if that will help diagnose
> my problem.
>
> Thank You.
>
Security and PHPSESSID don't go well together. That's why most sites
just say up from that cookies are required to use some features of the
site. If the user doesn't want to use cookies, then they can't use
those features of the site. And personally, I really don't think these
days it's bad to require cookies for some features. It's good to be
careful, but you can also be paranoid.
But if you insist - you also need to ensure url_rewriter.tags is set to
the appropriate value (it may have been changed from the default).
Also, there have been some bugs in this area, depending on your php
version. But 38422 indicates you can't change the value with ini_set()
between versions 4.2.3 and 5.0; no word about later versions. This can
be handled by setting the value in your .htaccess file if allowed (most
Apache hosts will allow this - and it's better than doing it in each php
file).
There's also a recent bug (#61565, still open) which indicates you must
have session.use_cookie=off to make the trans_sid work. I don't know
whether it will affect you or not.
Hope this helps.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]