[resolved] Cookie / Session security issue

[loop]

Hi,
I have a PHP application which involves login. The users are then assigned a session-id, and I store some session variables etc.

In some cases, with Internet Explorer, the cookie is being blocked. It seems like some users have set "Secutiry level: High" in IE. In my page, this results in the user is being rejected.

Does anyone have suggestions how to work around this problem, which seems to only be a problem in IE?

thanks for any help.

[trq]

If you set the [url=http://www.php.net/manual/en/ref.session.php#ini.session.use-only-cookies]session.use_only_cookies[/url] directive to false your session id should be passed around the url when cookies are not available.

Be aware though that obviously this opens up some security issues. Most users should have cookies enabled, and what I usually do is state in my login form that user will not be able to login without the allowing cookies.

[loop]

thanks for the quick reply. :-)

session.use_only_cookies is already set to false. Yet, some of the users is still being rejected.

This is included on the top of every page. The variable $_SESSION['id'] is stored when the user is logged in. Hence, without the $id, the user will be redirected before he can see the content of the page. Not that smart code perhaps, but yet, it should work.

[code]
<?php
session_cache_expire(60);
session_start();

$id = $_SESSION['id'];

if ( $id == '' )
    redirect();

?>
[/code]

so the question is still... why are they being rejected...

[trq]

Sorry... you may also need to enable session.use_trans_sid.