SitePoint Sponsor

User Tag List

Page 2 of 2 FirstFirst 12
Results 26 to 36 of 36
  1. #26
    play of mind Ernie1's Avatar
    Join Date
    Sep 2005
    Posts
    1,252
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    can you give your url so that I can check your site?

    but it would be better posting your code here.
    my mobile portal
    ghiris.ro

  2. #27
    SitePoint Wizard
    Join Date
    Dec 2005
    Posts
    1,711
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Sorry can't give a link. But what code do you mean? There are no errors the page just wont login since i added the (php_value session.use_cookies 0) to .htaccess and uploaded it?

    Thanks

  3. #28
    play of mind Ernie1's Avatar
    Join Date
    Sep 2005
    Posts
    1,252
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    and what is displayed on the page where you would normally login

    is it a blank page or it is displayed "login failed" or something?

    now, be sure you are sending the session_id in the url and in the main page you check if the session value is received, I think this is the key
    my mobile portal
    ghiris.ro

  4. #29
    SitePoint Wizard
    Join Date
    Dec 2005
    Posts
    1,711
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I login using a form on login.php and once logged in hello barry on loggedin.php. Like i said everything works fine untill I add .htaccess etc.. Then when i try to login it just stays on the login.php and clears the text areas in my form as if nothing has happened?

    Thanks

  5. #30
    play of mind Ernie1's Avatar
    Join Date
    Sep 2005
    Posts
    1,252
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    let me guess, is there any header redirection? if so then you have to pass the session_id like this:
    PHP Code:
    session_start();
    header("Location: http://www.example.com/page.php?".SID);
    exit(
    0); 
    or
    PHP Code:
    session_start();
    header("Location: http://www.example.com/page.php?PHPSESSION=".session_id());
    exit(
    0); 
    my mobile portal
    ghiris.ro

  6. #31
    SitePoint Wizard
    Join Date
    Dec 2005
    Posts
    1,711
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Have alook at this, like i said everything works until I add .htaccess

    PHP Code:
    // Set the session data & redirect.
    session_start();
    $_SESSION['user_id'] = $row[0];
    $_SESSION['first_name'] = $row[1];
                
    ob_end_clean(); // Delete the buffer.
                
    // Redirect the user to the loggedin.php page.
    // Start defining the URL
    $url 'http://' .$_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']);
    // Check for a trailing slash.
    if ((substr($url, -1) == '/') OR (substr($url, -1) == '\\') ) {
    $url substr ($url0, -1); // Chop of slash
    }
    // Add the page.
    $url .= '/loggedin.php';
    header("Location: $url");
    exit(); 
    // Quit the script. 
    thanks

  7. #32
    play of mind Ernie1's Avatar
    Join Date
    Sep 2005
    Posts
    1,252
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    ok add this value to the .htaccess file
    Code:
    php_flag session.use_trans_sid on
    PHP Code:
    // Set the session data & redirect. 
    session_start(); 
    $_SESSION['user_id'] = $row[0]; 
    $_SESSION['first_name'] = $row[1];
                 
    ob_end_clean(); // Delete the buffer. 
                 
    // Redirect the user to the loggedin.php page. 
    // Start defining the URL 
    $url 'http://' .$_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']); 
    // Check for a trailing slash. 
    if ((substr($url, -1) == '/') OR (substr($url, -1) == '\\') ) { 
    $url substr ($url0, -1); // Chop of slash 

    // Add the page. 
    $url .= '/loggedin.php'
    header("Location: $url?".SID); 
    //OR
    //header("Location: $url?PHPSESSION=".session_id());
    exit(); // Quit the script. 
    it works for me, I've tested and session_id is passed to the loggedin.php file

    let me know if it works for you
    my mobile portal
    ghiris.ro

  8. #33
    SitePoint Wizard
    Join Date
    Dec 2005
    Posts
    1,711
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Works!

    but session id in the address bar:

    loggedin.php?PHPSESSID=4a7d6156b4639ed66af392735270c6d6

    should'nt it just be loggedin.php

    Can you explain:

    .htaccess - php_flag session.use_trans_sid on ?

    Both have the same effect:
    header("Location: $url?".SID);
    //OR
    //header("Location: $url?PHPSESSION=".session_id());

    thanks

  9. #34
    play of mind Ernie1's Avatar
    Join Date
    Sep 2005
    Posts
    1,252
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Let me break it down for you

    from the manual

    session.use_trans_sid boolean

    session.use_trans_sid whether transparent sid support is enabled or not. Defaults to 0 (disabled).

    Note: For PHP 4.1.2 or less, it is enabled by compiling with --enable-trans-sid. From PHP 4.2.0, trans-sid feature is always compiled.

    URL based session management has additional security risks compared to cookie based session management. Users may send a URL that contains an active session ID to their friends by email or users may save a URL that contains a session ID to their bookmarks and access your site with the same session ID always, for example.
    PHP Code:
    // Set the session data & redirect. 
    session_start(); 
    $_SESSION['user_id'] = $row[0]; 
    $_SESSION['first_name'] = $row[1]; 
                  
    ob_end_clean(); // Delete the buffer. 
                  
    // Redirect the user to the loggedin.php page. 
    // Start defining the URL 
    $url 'http://' .$_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']); 
    // Check for a trailing slash. 
    if ((substr($url, -1) == '/') OR (substr($url, -1) == '\\') ) { 
    $url substr ($url0, -1); // Chop of slash 

    // Add the page. 
    $url .= '/loggedin.php'
    header("Location: $url?".SID); //SID (string) 
    //Constant containing either the session name and session ID in the form of //"name=ID" or empty string if session ID was set in an appropriate session cookie.
    //OR 
    //header("Location: $url?PHPSESSION=".session_id()); //in this case you don't have to enable the session.use_trans_sid
    exit(); // Quit the script. 
    now, if the user's browser is set to accept cookies, then the session_id is invisible (this is not the case here because we disabled the cookies in .htaccess file) or sent as url parameter
    my mobile portal
    ghiris.ro

  10. #35
    SitePoint Wizard
    Join Date
    Dec 2005
    Posts
    1,711
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks for this input, but isn't this just a waste of time then if "URL based session management has additional security risks"?

    It seems alot better before I added this stuff even though I need to allow a cookie session in my browser, that is if you've set your browser to act like this with cookies, otherwise everything works fine, correct?

    big learning curve anyway, cheers.

  11. #36
    play of mind Ernie1's Avatar
    Join Date
    Sep 2005
    Posts
    1,252
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    check:
    this and this and this and this

    and you have to choose the best method that meets your needs

    Go For It!
    my mobile portal
    ghiris.ro


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •