Server side $_SESSION

[Dorky]

how does one keep the session completely server side. no cookies to the browser at all. i need this site to be cookie and jscript free.

[PFMaBiSmAd]

You need a session id to be propagated as part of the http request in order to match that request with the correct session data. The session id either comes from a cookie or as a get parameter as part of the URL.

 

how does one keep the session completely server side.

There is no such thing.

[Dorky]

that would explain why i cant find anything about it. i did find this http://www.herongyang.com/PHP/session_3.html very informative. well i supose some trickery to keep it safe using post could be performed but this project doesn't pay enough for all of that.  thx again guys. very helpful. i must say the custom captcha was easier then figuring out that when they say server side session its only half the truth.

how does one keep the session completely server side.

There is no such thing.

[GoneNowBye]

Hey, i gtg to bed now so i must be quick

 

i avoid cookies and sessions, i use a session key embedded in the URL for everything. that way its in the get array and you can use some sort of tag [sESSION_KEY] for example and replace at the end of the file.

 

i replaced all my echo's with a function called "output" then processed the result, then echo'ed it.

 

Session keys also mean the user feels alot more secure, as there are no active means of tracking them present.

[xtopolis]

Hey, i gtg to bed now so i must be quick

 

i avoid cookies and sessions, i use a session key embedded in the URL for everything. that way its in the get array and you can use some sort of tag [sESSION_KEY] for example and replace at the end of the file.

 

i replaced all my echo's with a function called "output" then processed the result, then echo'ed it.

 

Session keys also mean the user feels alot more secure, as there are no active means of tracking them present.

 

This post is full of erroneous information.  Sessions and cookies are just as secure using proper anti-session fixation techniques.  Daniel0 posted some information regarding session security awhile back.

 

To say that the user feels more secure is naive.  You don't know the opinion of all of your users, and it is rare to see professional, multi-million dollar companies employing your suggested technique of passing the SESSID via the URL.

[GoneNowBye]

 

My experance and my opinion, you are entitled to your own.

 

[Dorky]

no i believe the x dude is right. that is why i said trickery. because much of it would be required to make it secure. it would require multiple flat file entries in combination with a post or get to make this happen and with multiple users doing this all at once could cause some untold issues as well. it is never good to advise someone to do something that could be a security risk and i decided on session for this because of security. although im not happy about the http engineering that makes total server side sessions imposable i must live with it because it is the most secure therefor the right thing to do.

 

My experance and my opinion, you are entitled to your own.