Thread: Sessions without cookies

Sessions without cookies

From
"Christian Marschalek"
Date:
How can I make sessions without cookies?
The php manual is a bit perplexing on this one...

<A HREF="nextpage.php?<?=SID?>">click here</A>

First it says the <?=SID?> part is needed when cookies are disabled.

Then it says "The <?=SID?> is not necessary, if --enable-trans-sid was
used to compile PHP"

What's the deal? I don't want to use cookies at all... Even if I could
use em (client has them turned on)

Tia!

(thanks to all that answered my last few questions;)


Re: Sessions without cookies

From
"Gyozo Papp"
Date:
--enable-trans-sid means

PHP concatenate transparently a 'SID=...' parameter to each relative URL in your HTML output content, therefore you may
notworry about to do it manually. <A href='netxpage.php'>...</A> will work in this form. 
You can check it if view source in your browser.


----- Original Message -----
From: "Christian Marschalek" <cm@chello.at>
To: "[PHP] PostgreSQL" <pgsql-php@postgresql.org>
Sent: 2001. május 7. 00:21
Subject: [PHP] Sessions without cookies


> How can I make sessions without cookies?
> The php manual is a bit perplexing on this one...
>
> <A HREF="nextpage.php?<?=SID?>">click here</A>
>
> First it says the <?=SID?> part is needed when cookies are disabled.
>
> Then it says "The <?=SID?> is not necessary, if --enable-trans-sid was
> used to compile PHP"
>
> What's the deal? I don't want to use cookies at all... Even if I could
> use em (client has them turned on)
>
> Tia!
>
> (thanks to all that answered my last few questions;)
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 2: you can get off all lists at once with the unregister command
>     (send "unregister YourEmailAddressHere" to majordomo@postgresql.org)


RE: Sessions without cookies

From
"Christian Marschalek"
Date:
Thanks, but does --enable-trans-sid also mean to don't use cookies?

> -----Original Message-----
> From: pgsql-php-owner@postgresql.org
> [mailto:pgsql-php-owner@postgresql.org] On Behalf Of Gyozo Papp
> Sent: Monday, May 07, 2001 12:38 AM
> To: Christian Marschalek; [PHP] PostgreSQL
> Subject: Re: [PHP] Sessions without cookies
>
>
> --enable-trans-sid means
>
> PHP concatenate transparently a 'SID=...' parameter to each
> relative URL in your HTML output content, therefore you may
> not worry about to do it manually. <A
> href='netxpage.php'>...</A> will work in this form. You can
> check it if view source in your browser.
>
>
> ----- Original Message -----
> From: "Christian Marschalek" <cm@chello.at>
> To: "[PHP] PostgreSQL" <pgsql-php@postgresql.org>
> Sent: 2001. május 7. 00:21
> Subject: [PHP] Sessions without cookies
>
>
> > How can I make sessions without cookies?
> > The php manual is a bit perplexing on this one...
> >
> > <A HREF="nextpage.php?<?=SID?>">click here</A>
> >
> > First it says the <?=SID?> part is needed when cookies are disabled.
> >
> > Then it says "The <?=SID?> is not necessary, if
> --enable-trans-sid was
> > used to compile PHP"
> >
> > What's the deal? I don't want to use cookies at all... Even
> if I could
> > use em (client has them turned on)
> >
> > Tia!
> >
> > (thanks to all that answered my last few questions;)
> >
> >
> > ---------------------------(end of
> > broadcast)---------------------------
> > TIP 2: you can get off all lists at once with the unregister command
> >     (send "unregister YourEmailAddressHere" to
> majordomo@postgresql.org)
>
>
> ---------------------------(end of
> broadcast)---------------------------
> TIP 5: Have you checked our extensive FAQ?
>
http://www.postgresql.org/users-lounge/docs/faq.html


RE: Sessions without cookies

From
"Leonello, Chris (C.R.)"
Date:

> -----Original Message-----
> From: Christian Marschalek [mailto:cm@chello.at]
> Sent: Sunday, May 06, 2001 9:01 PM
> To: 'Gyozo Papp'
> Cc: [PHP] PostgreSQL
> Subject: RE: Sessions without cookies
>
>
> Thanks, but does --enable-trans-sid also mean to don't use cookies?

No.  You can use both cookies and --enable-trans-sid.  You don't
have to use cookies if you are sending your SID encoded in the URL
and you code appropriately, however.  You indicated you didn't
want to use cookies at all and encoding the SID in the URL, either
manually or automatically by enabling trans-sid, will do the trick.

Note that you will have to disable trans-sid (or find some work
around) if you don't want the SID encoded in some of the URLs on your
pages.  I believe trans-sid automatically encodes all the URL's
in your page.
>
> > -----Original Message-----
> > From: pgsql-php-owner@postgresql.org
> > [mailto:pgsql-php-owner@postgresql.org] On Behalf Of Gyozo Papp
> > Sent: Monday, May 07, 2001 12:38 AM
> > To: Christian Marschalek; [PHP] PostgreSQL
> > Subject: Re: [PHP] Sessions without cookies
> >
> >
> > --enable-trans-sid means
> >
> > PHP concatenate transparently a 'SID=...' parameter to each
> > relative URL in your HTML output content, therefore you may
> > not worry about to do it manually. <A
> > href='netxpage.php'>...</A> will work in this form. You can
> > check it if view source in your browser.
> >
> >
> > ----- Original Message -----
> > From: "Christian Marschalek" <cm@chello.at>
> > To: "[PHP] PostgreSQL" <pgsql-php@postgresql.org>
> > Sent: 2001. május 7. 00:21
> > Subject: [PHP] Sessions without cookies
> >
> >
> > > How can I make sessions without cookies?
> > > The php manual is a bit perplexing on this one...
> > >
> > > <A HREF="nextpage.php?<?=SID?>">click here</A>
> > >
> > > First it says the <?=SID?> part is needed when cookies
> are disabled.
> > >
> > > Then it says "The <?=SID?> is not necessary, if
> > --enable-trans-sid was
> > > used to compile PHP"
> > >
> > > What's the deal? I don't want to use cookies at all... Even
> > if I could
> > > use em (client has them turned on)
> > >
> > > Tia!
> > >
> > > (thanks to all that answered my last few questions;)
> > >
> > >
> > > ---------------------------(end of
> > > broadcast)---------------------------
> > > TIP 2: you can get off all lists at once with the
> unregister command
> > >     (send "unregister YourEmailAddressHere" to
> > majordomo@postgresql.org)
> >
> >
> > ---------------------------(end of
> > broadcast)---------------------------
> > TIP 5: Have you checked our extensive FAQ?
> >
> http://www.postgresql.org/users-lounge/docs/faq.html
>
>

RE: Sessions without cookies

From
"Christian Marschalek"
Date:
> No.  You can use both cookies and --enable-trans-sid.  You don't
> have to use cookies if you are sending your SID encoded in the URL
> and you code appropriately, however.  You indicated you
> didn't want to use cookies at all and encoding the SID in the
> URL, either manually or automatically by enabling trans-sid,
> will do the trick.
So cookies are only used when I tell php to do so? With set cookie and
so forth?


---------------------------(end of broadcast)---------------------------
TIP 5: Have you checked our extensive FAQ?

http://www.postgresql.org/users-lounge/docs/faq.html




Re: RE: Sessions without cookies

From
"Mitch Vincent"
Date:
When you use --enable-trans-sid cookies aren't used for sessions. You can
still use cookies for other things but the native session support in PHP
won't use them.

-Mitch

----- Original Message -----
From: "Christian Marschalek" <cm@chello.at>
To: "'Leonello, Chris (C.R.)'" <cleonell@visteon.com>
Cc: "[PHP] PostgreSQL" <pgsql-php@postgresql.org>
Sent: Tuesday, May 08, 2001 6:20 PM
Subject: [PHP] RE: Sessions without cookies


> > No.  You can use both cookies and --enable-trans-sid.  You don't
> > have to use cookies if you are sending your SID encoded in the URL
> > and you code appropriately, however.  You indicated you
> > didn't want to use cookies at all and encoding the SID in the
> > URL, either manually or automatically by enabling trans-sid,
> > will do the trick.
> So cookies are only used when I tell php to do so? With set cookie and
> so forth?
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 5: Have you checked our extensive FAQ?
>
> http://www.postgresql.org/users-lounge/docs/faq.html
>


---------------------------(end of broadcast)---------------------------
TIP 1: subscribe and unsubscribe commands go to majordomo@postgresql.org




Re: RE: Sessions without cookies

From
"Dan Wilson"
Date:
You should note that even with the --enable-trans-sid, PHP will still try
and use a single cookie.  If the user does not accept the cookie, then it is
automagically passed in the URL.  However, if the user accepts the cookie,
then it will use that to keep track of the session rather than the URL
re-writing.

-Dan


: When you use --enable-trans-sid cookies aren't used for sessions. You can
: still use cookies for other things but the native session support in PHP
: won't use them.
:
: -Mitch
:
: ----- Original Message -----
: From: "Christian Marschalek" <cm@chello.at>
: To: "'Leonello, Chris (C.R.)'" <cleonell@visteon.com>
: Cc: "[PHP] PostgreSQL" <pgsql-php@postgresql.org>
: Sent: Tuesday, May 08, 2001 6:20 PM
: Subject: [PHP] RE: Sessions without cookies
:
:
: > > No.  You can use both cookies and --enable-trans-sid.  You don't
: > > have to use cookies if you are sending your SID encoded in the URL
: > > and you code appropriately, however.  You indicated you
: > > didn't want to use cookies at all and encoding the SID in the
: > > URL, either manually or automatically by enabling trans-sid,
: > > will do the trick.
: > So cookies are only used when I tell php to do so? With set cookie and
: > so forth?
: >
: >
: > ---------------------------(end of broadcast)---------------------------
: > TIP 5: Have you checked our extensive FAQ?
: >
: > http://www.postgresql.org/users-lounge/docs/faq.html
: >
:
:
: ---------------------------(end of broadcast)---------------------------
: TIP 1: subscribe and unsubscribe commands go to majordomo@postgresql.org
:


---------------------------(end of broadcast)---------------------------
TIP 3: if posting/reading through Usenet, please send an appropriate
subscribe-nomail command to majordomo@postgresql.org so that your
message can get through to the mailing list cleanly




RE: RE: Sessions without cookies

From
"Christian Marschalek"
Date:
> You should note that even with the --enable-trans-sid, PHP
> will still try and use a single cookie.  If the user does not
> accept the cookie, then it is automagically passed in the
> URL.  However, if the user accepts the cookie, then it will
> use that to keep track of the session rather than the URL re-writing.
Thanks... But I still need to find a way how I can completely get rid of
the cookies.


---------------------------(end of broadcast)---------------------------
TIP 3: if posting/reading through Usenet, please send an appropriate
subscribe-nomail command to majordomo@postgresql.org so that your
message can get through to the mailing list cleanly




RE: RE: Sessions without cookies

From
"Christian Marschalek"
Date:
> Why?  If the user accepts the cookie, then they don't have a
> problem with it.  If the user doesn't then it uses other
> functionality (URL re-writing). I don't see any problem with
> that.  Leave it up to the user to decide how they want PHP to
> keep track of their session.

Well because cookies are a security flaw, aren't day?


---------------------------(end of broadcast)---------------------------
TIP 5: Have you checked our extensive FAQ?

http://www.postgresql.org/users-lounge/docs/faq.html




Re: RE: Sessions without cookies

From
"Dan Wilson"
Date:
: > You should note that even with the --enable-trans-sid, PHP
: > will still try and use a single cookie.  If the user does not
: > accept the cookie, then it is automagically passed in the
: > URL.  However, if the user accepts the cookie, then it will
: > use that to keep track of the session rather than the URL re-writing.
: Thanks... But I still need to find a way how I can completely get rid of
: the cookies.

Why?  If the user accepts the cookie, then they don't have a problem with
it.  If the user doesn't then it uses other functionality (URL re-writing).
I don't see any problem with that.  Leave it up to the user to decide how
they want PHP to keep track of their session.

-Dan


---------------------------(end of broadcast)---------------------------
TIP 2: you can get off all lists at once with the unregister command
    (send "unregister YourEmailAddressHere" to majordomo@postgresql.org)




Re: RE: Sessions without cookies

From
"Mitch Vincent"
Date:
> > Why?  If the user accepts the cookie, then they don't have a
> > problem with it.  If the user doesn't then it uses other
> > functionality (URL re-writing). I don't see any problem with
> > that.  Leave it up to the user to decide how they want PHP to
> > keep track of their session.
>
> Well because cookies are a security flaw, aren't day?

Only if you make them one. :-)

Cookies by in and of themselves are harmless. Just treat what ever you store
in a cookie as if anyone could see it (because they probably can)..

-Mitch



---------------------------(end of broadcast)---------------------------
TIP 4: Don't 'kill -9' the postmaster




Re: RE: Sessions without cookies

From
"Dan Wilson"
Date:
: > > Why?  If the user accepts the cookie, then they don't have a
: > > problem with it.  If the user doesn't then it uses other
: > > functionality (URL re-writing). I don't see any problem with
: > > that.  Leave it up to the user to decide how they want PHP to
: > > keep track of their session.
: >
: > Well because cookies are a security flaw, aren't day?
:
: Only if you make them one. :-)
:
: Cookies by in and of themselves are harmless. Just treat what ever you
store
: in a cookie as if anyone could see it (because they probably can)..
:
: -Mitch

Exactly... and that's only an issue if someone gets into your local machine.
Regardless, the cookie that is stored with the PHP session functionality is
just a long unique identifier.  It's meaningless to the user.  It's only
used by the system to lookup the information that is stored in the session
handling on the server.  This could either be on the filesystem (default) or
by a user-defined session handling system
(http://www.php.net/manual/en/function.session-set-save-handler.php)

-Dan


Re: RE: Sessions without cookies

From
Andrew McMillan
Date:
Christian Marschalek wrote:
>
> > You should note that even with the --enable-trans-sid, PHP
> > will still try and use a single cookie.  If the user does not
> > accept the cookie, then it is automagically passed in the
> > URL.  However, if the user accepts the cookie, then it will
> > use that to keep track of the session rather than the URL re-writing.
>
> Thanks... But I still need to find a way how I can completely get rid of
> the cookies.

Interestingly we have just developed a site that used no cookies whatsoever,
handling all session management through URL rewriting.

We got to a point, however, about two weeks ago where we found that we did, after
all, need to (try and) maintain session state between visits.  Although people could
bookmark the session, we decided to switch back to cookies as #1, with a fall-back
to URL rewriting.

You could do URL rewrite only sessions in PHP if you did your own URL rewriting
through creative use of the ob_... set of Output Control functions.  This would
allow you to use sessions completely without cookies - if that's really what you
want.

Regards,
                    Andrew.
--
_____________________________________________________________________
           Andrew McMillan, e-mail: Andrew@catalyst.net.nz
Catalyst IT Ltd, PO Box 10-225, Level 22, 105 The Terrace, Wellington
Me: +64(21)635-694, Fax: +64(4)499-5596, Office: +64(4)499-2267xtn709

RE: RE: Sessions without cookies

From
"Christian Marschalek"
Date:
> We got to a point, however, about two weeks ago where we
> found that we did, after all, need to (try and) maintain
> session state between visits.
You can save the session info in a database also... No explicit need for
cookies:) You should never rely on them since you many people could be
behind a firewall that just filters them out and they have no chance to
change that fact. The same goes with javascript...

Well just my 2 cents;)

Cya


---------------------------(end of broadcast)---------------------------
TIP 4: Don't 'kill -9' the postmaster




RE: RE: Sessions without cookies

From
Grant
Date:
> You can save the session info in a database also... No explicit need for
> cookies:) You should never rely on them since you many people could be
> behind a firewall that just filters them out and they have no chance to
> change that fact. The same goes with javascript...

Saving session information in a database is more overhead.

Note: Session variables are server side, stored in a file on the
webserver named the same as the session ID.


Re: RE: Sessions without cookies

From
"Mitch Vincent"
Date:
> Saving session information in a database is more overhead.
>
> Note: Session variables are server side, stored in a file on the
> webserver named the same as the session ID.

Session information can also be kept in shared memory for really, really
fast access..

-Mitch



Re: RE: Sessions without cookies

From
"Mitch Vincent"
Date:
> > Why?  If the user accepts the cookie, then they don't have a
> > problem with it.  If the user doesn't then it uses other
> > functionality (URL re-writing). I don't see any problem with
> > that.  Leave it up to the user to decide how they want PHP to
> > keep track of their session.
>
> Well because cookies are a security flaw, aren't day?

Only if you make them one. :-)

Cookies by in and of themselves are harmless. Just treat what ever you store
in a cookie as if anyone could see it (because they probably can)..

-Mitch



---------------------------(end of broadcast)---------------------------
TIP 4: Don't 'kill -9' the postmaster




RE: Sessions without cookies

From
"Christian Marschalek"
Date:
> No.  You can use both cookies and --enable-trans-sid.  You don't
> have to use cookies if you are sending your SID encoded in the URL
> and you code appropriately, however.  You indicated you
> didn't want to use cookies at all and encoding the SID in the
> URL, either manually or automatically by enabling trans-sid,
> will do the trick.
So cookies are only used when I tell php to do so? With set cookie and
so forth?


---------------------------(end of broadcast)---------------------------
TIP 5: Have you checked our extensive FAQ?

http://www.postgresql.org/users-lounge/docs/faq.html




Re: RE: Sessions without cookies

From
"Christian Marschalek"
Date:
> You should note that even with the --enable-trans-sid, PHP
> will still try and use a single cookie.  If the user does not
> accept the cookie, then it is automagically passed in the
> URL.  However, if the user accepts the cookie, then it will
> use that to keep track of the session rather than the URL re-writing.
Thanks... But I still need to find a way how I can completely get rid of
the cookies.


---------------------------(end of broadcast)---------------------------
TIP 3: if posting/reading through Usenet, please send an appropriate
subscribe-nomail command to majordomo@postgresql.org so that your
message can get through to the mailing list cleanly




Re: RE: Sessions without cookies

From
"Christian Marschalek"
Date:
> We got to a point, however, about two weeks ago where we
> found that we did, after all, need to (try and) maintain
> session state between visits.
You can save the session info in a database also... No explicit need for
cookies:) You should never rely on them since you many people could be
behind a firewall that just filters them out and they have no chance to
change that fact. The same goes with javascript...

Well just my 2 cents;)

Cya


---------------------------(end of broadcast)---------------------------
TIP 4: Don't 'kill -9' the postmaster




Re: RE: Sessions without cookies

From
"Christian Marschalek"
Date:
> Why?  If the user accepts the cookie, then they don't have a
> problem with it.  If the user doesn't then it uses other
> functionality (URL re-writing). I don't see any problem with
> that.  Leave it up to the user to decide how they want PHP to
> keep track of their session.

Well because cookies are a security flaw, aren't day?


---------------------------(end of broadcast)---------------------------
TIP 5: Have you checked our extensive FAQ?

http://www.postgresql.org/users-lounge/docs/faq.html




Re: RE: Sessions without cookies

From
"Dan Wilson"
Date:
You should note that even with the --enable-trans-sid, PHP will still try
and use a single cookie.  If the user does not accept the cookie, then it is
automagically passed in the URL.  However, if the user accepts the cookie,
then it will use that to keep track of the session rather than the URL
re-writing.

-Dan


: When you use --enable-trans-sid cookies aren't used for sessions. You can
: still use cookies for other things but the native session support in PHP
: won't use them.
:
: -Mitch
:
: ----- Original Message -----
: From: "Christian Marschalek" <cm@chello.at>
: To: "'Leonello, Chris (C.R.)'" <cleonell@visteon.com>
: Cc: "[PHP] PostgreSQL" <pgsql-php@postgresql.org>
: Sent: Tuesday, May 08, 2001 6:20 PM
: Subject: [PHP] RE: Sessions without cookies
:
:
: > > No.  You can use both cookies and --enable-trans-sid.  You don't
: > > have to use cookies if you are sending your SID encoded in the URL
: > > and you code appropriately, however.  You indicated you
: > > didn't want to use cookies at all and encoding the SID in the
: > > URL, either manually or automatically by enabling trans-sid,
: > > will do the trick.
: > So cookies are only used when I tell php to do so? With set cookie and
: > so forth?
: >
: >
: > ---------------------------(end of broadcast)---------------------------
: > TIP 5: Have you checked our extensive FAQ?
: >
: > http://www.postgresql.org/users-lounge/docs/faq.html
: >
:
:
: ---------------------------(end of broadcast)---------------------------
: TIP 1: subscribe and unsubscribe commands go to majordomo@postgresql.org
:


---------------------------(end of broadcast)---------------------------
TIP 3: if posting/reading through Usenet, please send an appropriate
subscribe-nomail command to majordomo@postgresql.org so that your
message can get through to the mailing list cleanly




Re: RE: Sessions without cookies

From
"Dan Wilson"
Date:
: > You should note that even with the --enable-trans-sid, PHP
: > will still try and use a single cookie.  If the user does not
: > accept the cookie, then it is automagically passed in the
: > URL.  However, if the user accepts the cookie, then it will
: > use that to keep track of the session rather than the URL re-writing.
: Thanks... But I still need to find a way how I can completely get rid of
: the cookies.

Why?  If the user accepts the cookie, then they don't have a problem with
it.  If the user doesn't then it uses other functionality (URL re-writing).
I don't see any problem with that.  Leave it up to the user to decide how
they want PHP to keep track of their session.

-Dan


---------------------------(end of broadcast)---------------------------
TIP 2: you can get off all lists at once with the unregister command
    (send "unregister YourEmailAddressHere" to majordomo@postgresql.org)




Re: RE: Sessions without cookies

From
"Mitch Vincent"
Date:
When you use --enable-trans-sid cookies aren't used for sessions. You can
still use cookies for other things but the native session support in PHP
won't use them.

-Mitch

----- Original Message -----
From: "Christian Marschalek" <cm@chello.at>
To: "'Leonello, Chris (C.R.)'" <cleonell@visteon.com>
Cc: "[PHP] PostgreSQL" <pgsql-php@postgresql.org>
Sent: Tuesday, May 08, 2001 6:20 PM
Subject: [PHP] RE: Sessions without cookies


> > No.  You can use both cookies and --enable-trans-sid.  You don't
> > have to use cookies if you are sending your SID encoded in the URL
> > and you code appropriately, however.  You indicated you
> > didn't want to use cookies at all and encoding the SID in the
> > URL, either manually or automatically by enabling trans-sid,
> > will do the trick.
> So cookies are only used when I tell php to do so? With set cookie and
> so forth?
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 5: Have you checked our extensive FAQ?
>
> http://www.postgresql.org/users-lounge/docs/faq.html
>


---------------------------(end of broadcast)---------------------------
TIP 1: subscribe and unsubscribe commands go to majordomo@postgresql.org