George L
|
| Posted: 05/02/2002, 3:23 PM |
|
Regarding :
Cookie-less Sessions
Description There is a growing panic about using cookies and
some companies/individuals will turn cookies off.
Of course this means the user can't log into a
CC site because it creates a cookie with the
session id. PHPSESSID=
If the user has cookies turned off, I would like
CC to automatically append the PHPSESSID=... to
each URL. This will allow CC sites to be cookie-less
and the user will be able to navigate the site as if
he had cookies enabled.
PHP should allow you to do this. Read excerpt from
http://www.php.net/manual/en/ref.session.php for more info.
There are two methods to propagate a session id:
Cookies
URL parameter
The session module supports both methods. Cookies are optimal, but since they are not reliable (clients are not bound to accept them), we cannot rely on them. The second method embeds the session id directly into URLs.
PHP is capable of doing this transparently when compiled with --enable-trans-sid. If you enable this option, relative URIs will be changed to contain the session id automatically. Alternatively, you can use the constant SID which is defined, if the client did not send the appropriate cookie. SID is either of the form session_name=session_id or is an empty string.
The --enable-trans-sid mod seems to be the way to go if you are worried about browsers turning off cookies,etc. You would of course have to recompile your PHP libraries if you havent already.
I haven't tried it yet, but it may do what was requested by the user in the Wish-list section.
Hope that helps.
g.
|
|
|
 |
Brent
|
| Posted: 05/02/2002, 8:51 PM |
|
I had been aware of this. But finding an ISP that would be willing to use a
recompiled PHP may be difficult because it affects their other PHP clients.
This probably means using dedicated web servers which can be a lot more expensive
than a virtual server. If CC/CCS could append the session id to each url, it
would make things easier, or at least a lot cheaper. :)
|
|
|
|
George L.
|
| Posted: 05/03/2002, 7:23 AM |
|
Well. In that situation, I can see your point. That would be nice of C.C to do that.
|
|
|
|
Brent
|
| Posted: 05/03/2002, 8:29 AM |
|
George,
I was thinking about this some more last night. Why couldn't CCS call
an event just prior to writing out a hyperlink (any hyperlink) into the HTML code, and pass it
the hyperlink string as parameter? We could then take the hyperlink (URL), make changes to it if
we need to, and then pass it back. The modified link then gets written to the HTML file.
Not only would this allow us to add the session_id as a parameter, but
we could also do other neat stuff like adding on a checksum to ensure the parameters
were not altered by a hacker. (I wrote a wish about this a while back "Prevent
Hackers from Spoofing your URL parameters".) This will really help to increase
security.
You can think of it as a HyperlinkEdit event. All hyperlinks for the page will go through this event
and we can put in a function call so the same function can handle all hyperlinks for the application.
All generated hyperlinks would get sent through this function for editing before being written to HTML.
I think we could do some pretty powerful stuff with this Hyperlink event if CC can make it happen.
What do you think?
Brent
|
|
|
|
George L.
|
| Posted: 05/03/2002, 11:14 AM |
|
Well If i understand you correctly, then I would agree that C.C needs to be able to allow for URL Modification or templating of some sort, in order to allow users to ensure security for cookie-less browsers, etc.
Maybe some way of allowing the user to enter or append to the {FormParams} set in the Initialize Variables section. In this section is where the form parameters are set into a url
PHP Example:
$tpl->set_var("FormParams", "s_ordtype=" . tourl(get_param("s_ordtype")) . "&v_enddate=" . tourl(get_param("v_enddate")) .
"&v_startdate=" . tourl(get_param("v_startdate")) . "&");
Maybe they could allow for a "Custom Initialize Variables" section which would allow you to theoretically append the PHPSESSID or a $HTTP_POST_VARS array value in there.
PHP Example w/ PHPSESSID appended to url:
$tpl->set_var("FormParams", "s_ordtype=" . tourl(get_param("s_ordtype")) . "&v_enddate=" . tourl(get_param("v_enddate")) .
"&v_startdate=" . tourl(get_param("v_startdate")) . "&SID=" . tourl(PHPSESSID) ."&");
This of course has not been tested by me, so It's just a theory at this point.
Finally, I think that if an ISP is handling PHP support, the responsibility should be placed on them as well to allow for cookie-less sessions, as no ISP can assume that all client browsers will support this. Since PHP will allow this using the --enable-trans-sid starting with (4.0.6), it should be made available as soon as possible for the hosted-clients.
Thks
g.
|
|
|
|
|
