I've tried to research this mechanism but only find hints and these are not very consistent. How is the session _id sent to the browser and how is the browser instructed to return it when the user requests a new page?
Thanks, Chris
+11
A:
PHP will do 2 things:
- It will rewrite all links to pass an extra GET parameter, usually PHPSESSID but this can be changed by setting session.name in php.ini
- It will add a hidden input with the same name after all
<form>opening tags.
Note that this is a dangerous thing to do, because anyone who you e.g. copy/paste a URL to containing an PHPSESSID parameter will be able to share your login session on the site - the webserver has no easy way of telling that you are different from the person you sent the link to...
Gareth
2009-03-05 08:37:51
Thanks. That's just what I wanted to know. Seems ironic that cookies might be turned off to increase the security at the client, but this action will reduce security at the server.
cjakeman
2009-03-05 16:03:12
Feel free to click the little tick and accept my answer ;)
Gareth
2009-03-05 22:19:00
A:
PHP's own session module supports fetching the session id from GET and POST data (besides cookies). You can use http://uk.php.net/manual/en/session.configuration.php#ini.session.use-trans-sid and http://uk.php.net/manual/en/session.configuration.php#ini.url-rewriter.tags to let php handle the forwarding of the id. But in any case keep in mind that especially if you're using GET to transport the id it's more likely some of your users give away their (valid) session id by accident.
The underlying mechanism doesn't care how the session id was transported from the client to the server. As long as you pass the "right" value to session_id() it will work - even if you do something as weird (stupid?) as abusing the etag-header as a vehicle for the session id ;-)
VolkerK
2009-03-05 08:39:24