Обсуждение: Sessions without cookies
How can I make sessions without cookies? The php manual is a bit perplexing on this one... <A HREF="nextpage.php?<?=SID?>">click here</A> First it says the <?=SID?> part is needed when cookies are disabled. Then it says "The <?=SID?> is not necessary, if --enable-trans-sid was used to compile PHP" What's the deal? I don't want to use cookies at all... Even if I could use em (client has them turned on) Tia! (thanks to all that answered my last few questions;)
--enable-trans-sid means PHP concatenate transparently a 'SID=...' parameter to each relative URL in your HTML output content, therefore you may notworry about to do it manually. <A href='netxpage.php'>...</A> will work in this form. You can check it if view source in your browser. ----- Original Message ----- From: "Christian Marschalek" <cm@chello.at> To: "[PHP] PostgreSQL" <pgsql-php@postgresql.org> Sent: 2001. május 7. 00:21 Subject: [PHP] Sessions without cookies > How can I make sessions without cookies? > The php manual is a bit perplexing on this one... > > <A HREF="nextpage.php?<?=SID?>">click here</A> > > First it says the <?=SID?> part is needed when cookies are disabled. > > Then it says "The <?=SID?> is not necessary, if --enable-trans-sid was > used to compile PHP" > > What's the deal? I don't want to use cookies at all... Even if I could > use em (client has them turned on) > > Tia! > > (thanks to all that answered my last few questions;) > > > ---------------------------(end of broadcast)--------------------------- > TIP 2: you can get off all lists at once with the unregister command > (send "unregister YourEmailAddressHere" to majordomo@postgresql.org)
Thanks, but does --enable-trans-sid also mean to don't use cookies? > -----Original Message----- > From: pgsql-php-owner@postgresql.org > [mailto:pgsql-php-owner@postgresql.org] On Behalf Of Gyozo Papp > Sent: Monday, May 07, 2001 12:38 AM > To: Christian Marschalek; [PHP] PostgreSQL > Subject: Re: [PHP] Sessions without cookies > > > --enable-trans-sid means > > PHP concatenate transparently a 'SID=...' parameter to each > relative URL in your HTML output content, therefore you may > not worry about to do it manually. <A > href='netxpage.php'>...</A> will work in this form. You can > check it if view source in your browser. > > > ----- Original Message ----- > From: "Christian Marschalek" <cm@chello.at> > To: "[PHP] PostgreSQL" <pgsql-php@postgresql.org> > Sent: 2001. május 7. 00:21 > Subject: [PHP] Sessions without cookies > > > > How can I make sessions without cookies? > > The php manual is a bit perplexing on this one... > > > > <A HREF="nextpage.php?<?=SID?>">click here</A> > > > > First it says the <?=SID?> part is needed when cookies are disabled. > > > > Then it says "The <?=SID?> is not necessary, if > --enable-trans-sid was > > used to compile PHP" > > > > What's the deal? I don't want to use cookies at all... Even > if I could > > use em (client has them turned on) > > > > Tia! > > > > (thanks to all that answered my last few questions;) > > > > > > ---------------------------(end of > > broadcast)--------------------------- > > TIP 2: you can get off all lists at once with the unregister command > > (send "unregister YourEmailAddressHere" to > majordomo@postgresql.org) > > > ---------------------------(end of > broadcast)--------------------------- > TIP 5: Have you checked our extensive FAQ? > http://www.postgresql.org/users-lounge/docs/faq.html
> -----Original Message----- > From: Christian Marschalek [mailto:cm@chello.at] > Sent: Sunday, May 06, 2001 9:01 PM > To: 'Gyozo Papp' > Cc: [PHP] PostgreSQL > Subject: RE: Sessions without cookies > > > Thanks, but does --enable-trans-sid also mean to don't use cookies? No. You can use both cookies and --enable-trans-sid. You don't have to use cookies if you are sending your SID encoded in the URL and you code appropriately, however. You indicated you didn't want to use cookies at all and encoding the SID in the URL, either manually or automatically by enabling trans-sid, will do the trick. Note that you will have to disable trans-sid (or find some work around) if you don't want the SID encoded in some of the URLs on your pages. I believe trans-sid automatically encodes all the URL's in your page. > > > -----Original Message----- > > From: pgsql-php-owner@postgresql.org > > [mailto:pgsql-php-owner@postgresql.org] On Behalf Of Gyozo Papp > > Sent: Monday, May 07, 2001 12:38 AM > > To: Christian Marschalek; [PHP] PostgreSQL > > Subject: Re: [PHP] Sessions without cookies > > > > > > --enable-trans-sid means > > > > PHP concatenate transparently a 'SID=...' parameter to each > > relative URL in your HTML output content, therefore you may > > not worry about to do it manually. <A > > href='netxpage.php'>...</A> will work in this form. You can > > check it if view source in your browser. > > > > > > ----- Original Message ----- > > From: "Christian Marschalek" <cm@chello.at> > > To: "[PHP] PostgreSQL" <pgsql-php@postgresql.org> > > Sent: 2001. május 7. 00:21 > > Subject: [PHP] Sessions without cookies > > > > > > > How can I make sessions without cookies? > > > The php manual is a bit perplexing on this one... > > > > > > <A HREF="nextpage.php?<?=SID?>">click here</A> > > > > > > First it says the <?=SID?> part is needed when cookies > are disabled. > > > > > > Then it says "The <?=SID?> is not necessary, if > > --enable-trans-sid was > > > used to compile PHP" > > > > > > What's the deal? I don't want to use cookies at all... Even > > if I could > > > use em (client has them turned on) > > > > > > Tia! > > > > > > (thanks to all that answered my last few questions;) > > > > > > > > > ---------------------------(end of > > > broadcast)--------------------------- > > > TIP 2: you can get off all lists at once with the > unregister command > > > (send "unregister YourEmailAddressHere" to > > majordomo@postgresql.org) > > > > > > ---------------------------(end of > > broadcast)--------------------------- > > TIP 5: Have you checked our extensive FAQ? > > > http://www.postgresql.org/users-lounge/docs/faq.html > >
> No. You can use both cookies and --enable-trans-sid. You don't > have to use cookies if you are sending your SID encoded in the URL > and you code appropriately, however. You indicated you > didn't want to use cookies at all and encoding the SID in the > URL, either manually or automatically by enabling trans-sid, > will do the trick. So cookies are only used when I tell php to do so? With set cookie and so forth? ---------------------------(end of broadcast)--------------------------- TIP 5: Have you checked our extensive FAQ? http://www.postgresql.org/users-lounge/docs/faq.html
When you use --enable-trans-sid cookies aren't used for sessions. You can still use cookies for other things but the native session support in PHP won't use them. -Mitch ----- Original Message ----- From: "Christian Marschalek" <cm@chello.at> To: "'Leonello, Chris (C.R.)'" <cleonell@visteon.com> Cc: "[PHP] PostgreSQL" <pgsql-php@postgresql.org> Sent: Tuesday, May 08, 2001 6:20 PM Subject: [PHP] RE: Sessions without cookies > > No. You can use both cookies and --enable-trans-sid. You don't > > have to use cookies if you are sending your SID encoded in the URL > > and you code appropriately, however. You indicated you > > didn't want to use cookies at all and encoding the SID in the > > URL, either manually or automatically by enabling trans-sid, > > will do the trick. > So cookies are only used when I tell php to do so? With set cookie and > so forth? > > > ---------------------------(end of broadcast)--------------------------- > TIP 5: Have you checked our extensive FAQ? > > http://www.postgresql.org/users-lounge/docs/faq.html > ---------------------------(end of broadcast)--------------------------- TIP 1: subscribe and unsubscribe commands go to majordomo@postgresql.org
You should note that even with the --enable-trans-sid, PHP will still try and use a single cookie. If the user does not accept the cookie, then it is automagically passed in the URL. However, if the user accepts the cookie, then it will use that to keep track of the session rather than the URL re-writing. -Dan : When you use --enable-trans-sid cookies aren't used for sessions. You can : still use cookies for other things but the native session support in PHP : won't use them. : : -Mitch : : ----- Original Message ----- : From: "Christian Marschalek" <cm@chello.at> : To: "'Leonello, Chris (C.R.)'" <cleonell@visteon.com> : Cc: "[PHP] PostgreSQL" <pgsql-php@postgresql.org> : Sent: Tuesday, May 08, 2001 6:20 PM : Subject: [PHP] RE: Sessions without cookies : : : > > No. You can use both cookies and --enable-trans-sid. You don't : > > have to use cookies if you are sending your SID encoded in the URL : > > and you code appropriately, however. You indicated you : > > didn't want to use cookies at all and encoding the SID in the : > > URL, either manually or automatically by enabling trans-sid, : > > will do the trick. : > So cookies are only used when I tell php to do so? With set cookie and : > so forth? : > : > : > ---------------------------(end of broadcast)--------------------------- : > TIP 5: Have you checked our extensive FAQ? : > : > http://www.postgresql.org/users-lounge/docs/faq.html : > : : : ---------------------------(end of broadcast)--------------------------- : TIP 1: subscribe and unsubscribe commands go to majordomo@postgresql.org : ---------------------------(end of broadcast)--------------------------- TIP 3: if posting/reading through Usenet, please send an appropriate subscribe-nomail command to majordomo@postgresql.org so that your message can get through to the mailing list cleanly
> You should note that even with the --enable-trans-sid, PHP > will still try and use a single cookie. If the user does not > accept the cookie, then it is automagically passed in the > URL. However, if the user accepts the cookie, then it will > use that to keep track of the session rather than the URL re-writing. Thanks... But I still need to find a way how I can completely get rid of the cookies. ---------------------------(end of broadcast)--------------------------- TIP 3: if posting/reading through Usenet, please send an appropriate subscribe-nomail command to majordomo@postgresql.org so that your message can get through to the mailing list cleanly
> Why? If the user accepts the cookie, then they don't have a > problem with it. If the user doesn't then it uses other > functionality (URL re-writing). I don't see any problem with > that. Leave it up to the user to decide how they want PHP to > keep track of their session. Well because cookies are a security flaw, aren't day? ---------------------------(end of broadcast)--------------------------- TIP 5: Have you checked our extensive FAQ? http://www.postgresql.org/users-lounge/docs/faq.html
: > You should note that even with the --enable-trans-sid, PHP
: > will still try and use a single cookie. If the user does not
: > accept the cookie, then it is automagically passed in the
: > URL. However, if the user accepts the cookie, then it will
: > use that to keep track of the session rather than the URL re-writing.
: Thanks... But I still need to find a way how I can completely get rid of
: the cookies.
Why? If the user accepts the cookie, then they don't have a problem with
it. If the user doesn't then it uses other functionality (URL re-writing).
I don't see any problem with that. Leave it up to the user to decide how
they want PHP to keep track of their session.
-Dan
---------------------------(end of broadcast)---------------------------
TIP 2: you can get off all lists at once with the unregister command
(send "unregister YourEmailAddressHere" to majordomo@postgresql.org)
> > Why? If the user accepts the cookie, then they don't have a > > problem with it. If the user doesn't then it uses other > > functionality (URL re-writing). I don't see any problem with > > that. Leave it up to the user to decide how they want PHP to > > keep track of their session. > > Well because cookies are a security flaw, aren't day? Only if you make them one. :-) Cookies by in and of themselves are harmless. Just treat what ever you store in a cookie as if anyone could see it (because they probably can).. -Mitch ---------------------------(end of broadcast)--------------------------- TIP 4: Don't 'kill -9' the postmaster
: > > Why? If the user accepts the cookie, then they don't have a : > > problem with it. If the user doesn't then it uses other : > > functionality (URL re-writing). I don't see any problem with : > > that. Leave it up to the user to decide how they want PHP to : > > keep track of their session. : > : > Well because cookies are a security flaw, aren't day? : : Only if you make them one. :-) : : Cookies by in and of themselves are harmless. Just treat what ever you store : in a cookie as if anyone could see it (because they probably can).. : : -Mitch Exactly... and that's only an issue if someone gets into your local machine. Regardless, the cookie that is stored with the PHP session functionality is just a long unique identifier. It's meaningless to the user. It's only used by the system to lookup the information that is stored in the session handling on the server. This could either be on the filesystem (default) or by a user-defined session handling system (http://www.php.net/manual/en/function.session-set-save-handler.php) -Dan
Christian Marschalek wrote:
>
> > You should note that even with the --enable-trans-sid, PHP
> > will still try and use a single cookie. If the user does not
> > accept the cookie, then it is automagically passed in the
> > URL. However, if the user accepts the cookie, then it will
> > use that to keep track of the session rather than the URL re-writing.
>
> Thanks... But I still need to find a way how I can completely get rid of
> the cookies.
Interestingly we have just developed a site that used no cookies whatsoever,
handling all session management through URL rewriting.
We got to a point, however, about two weeks ago where we found that we did, after
all, need to (try and) maintain session state between visits. Although people could
bookmark the session, we decided to switch back to cookies as #1, with a fall-back
to URL rewriting.
You could do URL rewrite only sessions in PHP if you did your own URL rewriting
through creative use of the ob_... set of Output Control functions. This would
allow you to use sessions completely without cookies - if that's really what you
want.
Regards,
Andrew.
--
_____________________________________________________________________
Andrew McMillan, e-mail: Andrew@catalyst.net.nz
Catalyst IT Ltd, PO Box 10-225, Level 22, 105 The Terrace, Wellington
Me: +64(21)635-694, Fax: +64(4)499-5596, Office: +64(4)499-2267xtn709
> We got to a point, however, about two weeks ago where we > found that we did, after all, need to (try and) maintain > session state between visits. You can save the session info in a database also... No explicit need for cookies:) You should never rely on them since you many people could be behind a firewall that just filters them out and they have no chance to change that fact. The same goes with javascript... Well just my 2 cents;) Cya ---------------------------(end of broadcast)--------------------------- TIP 4: Don't 'kill -9' the postmaster
> You can save the session info in a database also... No explicit need for > cookies:) You should never rely on them since you many people could be > behind a firewall that just filters them out and they have no chance to > change that fact. The same goes with javascript... Saving session information in a database is more overhead. Note: Session variables are server side, stored in a file on the webserver named the same as the session ID.
> Saving session information in a database is more overhead. > > Note: Session variables are server side, stored in a file on the > webserver named the same as the session ID. Session information can also be kept in shared memory for really, really fast access.. -Mitch
> > Why? If the user accepts the cookie, then they don't have a > > problem with it. If the user doesn't then it uses other > > functionality (URL re-writing). I don't see any problem with > > that. Leave it up to the user to decide how they want PHP to > > keep track of their session. > > Well because cookies are a security flaw, aren't day? Only if you make them one. :-) Cookies by in and of themselves are harmless. Just treat what ever you store in a cookie as if anyone could see it (because they probably can).. -Mitch ---------------------------(end of broadcast)--------------------------- TIP 4: Don't 'kill -9' the postmaster
> No. You can use both cookies and --enable-trans-sid. You don't > have to use cookies if you are sending your SID encoded in the URL > and you code appropriately, however. You indicated you > didn't want to use cookies at all and encoding the SID in the > URL, either manually or automatically by enabling trans-sid, > will do the trick. So cookies are only used when I tell php to do so? With set cookie and so forth? ---------------------------(end of broadcast)--------------------------- TIP 5: Have you checked our extensive FAQ? http://www.postgresql.org/users-lounge/docs/faq.html
> You should note that even with the --enable-trans-sid, PHP > will still try and use a single cookie. If the user does not > accept the cookie, then it is automagically passed in the > URL. However, if the user accepts the cookie, then it will > use that to keep track of the session rather than the URL re-writing. Thanks... But I still need to find a way how I can completely get rid of the cookies. ---------------------------(end of broadcast)--------------------------- TIP 3: if posting/reading through Usenet, please send an appropriate subscribe-nomail command to majordomo@postgresql.org so that your message can get through to the mailing list cleanly
> We got to a point, however, about two weeks ago where we > found that we did, after all, need to (try and) maintain > session state between visits. You can save the session info in a database also... No explicit need for cookies:) You should never rely on them since you many people could be behind a firewall that just filters them out and they have no chance to change that fact. The same goes with javascript... Well just my 2 cents;) Cya ---------------------------(end of broadcast)--------------------------- TIP 4: Don't 'kill -9' the postmaster
> Why? If the user accepts the cookie, then they don't have a > problem with it. If the user doesn't then it uses other > functionality (URL re-writing). I don't see any problem with > that. Leave it up to the user to decide how they want PHP to > keep track of their session. Well because cookies are a security flaw, aren't day? ---------------------------(end of broadcast)--------------------------- TIP 5: Have you checked our extensive FAQ? http://www.postgresql.org/users-lounge/docs/faq.html
You should note that even with the --enable-trans-sid, PHP will still try and use a single cookie. If the user does not accept the cookie, then it is automagically passed in the URL. However, if the user accepts the cookie, then it will use that to keep track of the session rather than the URL re-writing. -Dan : When you use --enable-trans-sid cookies aren't used for sessions. You can : still use cookies for other things but the native session support in PHP : won't use them. : : -Mitch : : ----- Original Message ----- : From: "Christian Marschalek" <cm@chello.at> : To: "'Leonello, Chris (C.R.)'" <cleonell@visteon.com> : Cc: "[PHP] PostgreSQL" <pgsql-php@postgresql.org> : Sent: Tuesday, May 08, 2001 6:20 PM : Subject: [PHP] RE: Sessions without cookies : : : > > No. You can use both cookies and --enable-trans-sid. You don't : > > have to use cookies if you are sending your SID encoded in the URL : > > and you code appropriately, however. You indicated you : > > didn't want to use cookies at all and encoding the SID in the : > > URL, either manually or automatically by enabling trans-sid, : > > will do the trick. : > So cookies are only used when I tell php to do so? With set cookie and : > so forth? : > : > : > ---------------------------(end of broadcast)--------------------------- : > TIP 5: Have you checked our extensive FAQ? : > : > http://www.postgresql.org/users-lounge/docs/faq.html : > : : : ---------------------------(end of broadcast)--------------------------- : TIP 1: subscribe and unsubscribe commands go to majordomo@postgresql.org : ---------------------------(end of broadcast)--------------------------- TIP 3: if posting/reading through Usenet, please send an appropriate subscribe-nomail command to majordomo@postgresql.org so that your message can get through to the mailing list cleanly
: > You should note that even with the --enable-trans-sid, PHP
: > will still try and use a single cookie. If the user does not
: > accept the cookie, then it is automagically passed in the
: > URL. However, if the user accepts the cookie, then it will
: > use that to keep track of the session rather than the URL re-writing.
: Thanks... But I still need to find a way how I can completely get rid of
: the cookies.
Why? If the user accepts the cookie, then they don't have a problem with
it. If the user doesn't then it uses other functionality (URL re-writing).
I don't see any problem with that. Leave it up to the user to decide how
they want PHP to keep track of their session.
-Dan
---------------------------(end of broadcast)---------------------------
TIP 2: you can get off all lists at once with the unregister command
(send "unregister YourEmailAddressHere" to majordomo@postgresql.org)
When you use --enable-trans-sid cookies aren't used for sessions. You can still use cookies for other things but the native session support in PHP won't use them. -Mitch ----- Original Message ----- From: "Christian Marschalek" <cm@chello.at> To: "'Leonello, Chris (C.R.)'" <cleonell@visteon.com> Cc: "[PHP] PostgreSQL" <pgsql-php@postgresql.org> Sent: Tuesday, May 08, 2001 6:20 PM Subject: [PHP] RE: Sessions without cookies > > No. You can use both cookies and --enable-trans-sid. You don't > > have to use cookies if you are sending your SID encoded in the URL > > and you code appropriately, however. You indicated you > > didn't want to use cookies at all and encoding the SID in the > > URL, either manually or automatically by enabling trans-sid, > > will do the trick. > So cookies are only used when I tell php to do so? With set cookie and > so forth? > > > ---------------------------(end of broadcast)--------------------------- > TIP 5: Have you checked our extensive FAQ? > > http://www.postgresql.org/users-lounge/docs/faq.html > ---------------------------(end of broadcast)--------------------------- TIP 1: subscribe and unsubscribe commands go to majordomo@postgresql.org