Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Propogating PHPSESSID (Session ID) transparently in links

Status
Not open for further replies.
SetoKaiba

SetoKaiba

Programmer
Jun 16, 2004
28
0
0
US
Hi,
I am building a site that makes use of PHP Sessions. Obviously, PHP will transmit the PHPSESSID (The Session ID) to a cookie to identify users, however, I've noticed some users have been experiencing bugs, and if cookies aren't enabled, the PHPSESSID won't be placed in the cookie. Is there a way to transmit the PHPSESSID via links WITHOUT having to add code to every link, rather something to operate in the global file since appending that code to every link is a VERY inefficient way to code things, and it doesn't allow having separate html files that have links (since they'll need the PHP echo to put the sessid on them). If there are any other methods that don't rely on cookies, please sure. Thanks to all that help.
 
Sort by date Sort by votes
Have a look at the PHP manual and read about:
session.use_trans_sid boolean

session.use_trans_sid whether transparent sid support is enabled or not. Defaults to 0 (disabled).
Click to expand...
Also:
url_rewriter.tags string

url_rewriter.tags specifies which HTML tags are rewritten to include session id if transparent sid support is enabled. Defaults to a=href,area=href,frame=src,input=src,form=fakeentry,fieldset=
Click to expand...

However, I would for security purposes discourage transparent SID support.
 
Upvote 0 Downvote
How would I set that to 1, if I'm not a Server Administrator (ie. is there a runtime function to set it to 1? Since I am not sure if the administrator will set it up for everyone on the server)

And why would you consider it a security risk? (Besides the obvious fact that users can submit any sessionid they like)
 
Upvote 0 Downvote
1. ini_set() is a function that allows run-time configuration parameters. The transparent session ID is marked as PHP_INI_ALL, which means it can be set by anyone, any script.

2. Session fixation and in the case of transparent SID especially session hijacking is the highest concern. Of course, if you don't have any confidential data and it doesn't matter if someone possibly messes with someone else's session, then the risk can be ignored.
Anyone can hijack a session with transparent SID, just by appending the appropriate session ID to the URL.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

SashaBuilder3
  • Locked
  • Question
import CSV file into MySql table in PhpMyAdmin
Replies
0
Views
116
SashaBuilder3
SashaBuilder3
EdLentz
  • Locked
  • Question
Partial link in email
Replies
1
Views
60
spamjim
spamjim
PeDa
  • Locked
  • Question
Unwanted spaces in php HTML mail 1
Replies
4
Views
106
PeDa
PeDa
ersatz
  • Locked
  • Question
How to send 2 select from mysql database in email like tables
Replies
5
Views
149
ersatz
ersatz
PeDa
  • Locked
  • Question
Report invalid characters in string 1
Replies
2
Views
60
PeDa
PeDa

Part and Inventory Search

Sponsor

Back
Top