catalyse
|
| Posted: 11/25/2002, 5:03 AM |
|
Is there any way to disable sessions altogether, i.e. remove the session_start() without having to hack the generated page? I can't find anyway to remove this call from within CC.
The reason is that I am designing a portal and I don't want it to set cookies (or have the overhead of setting up sessions) for the "public" side of this (i.e. the pages you see without needing to login). Personally I do not like sites that immediately use cookies so I don't want them enabled at all unless they go to a separate login page.
To do this, I have created 2 CC projects that share the same database:
1. Admin which has all the login and session hadling.
2. Public which has views of the database and uses parameter passing.
Thanks,
Neil.
|
|
|
 |
catalyse
|
| Posted: 11/26/2002, 2:37 AM |
|
Well, perhaps I'm the only one who's interested, but after some trial and error I found adding this to "Global Functions" does the trick:
ini_set("session.use_only_cookies",1); //don't use SID parameter passing
ini_set("session.use_cookies",0); //AND don't use cookies!
This disables session handling altogether despite the enforced start_session() call.
I then have a link to the login page of another project with normal session handling to allow authenticated access for updating the database.
The other reason for spliting it into 2 projects (admin and public) is that the public project uses a separate MySQL user with restricted rights (only SELECT on required tables) making it more secure against attacks. Even if they manage to hack parameters or poison SQL, they can only read information from the public tables within the database.
Neil.
|
|
|
|
|
