GingerRobot Posted July 25, 2007 Share Posted July 25, 2007 Im having trouble getting sessions to work if cookies are disabled. As i understood it, if cookies are disabled, then php attempts to pass the session ID around in the URL, allowing the session to stay active. Im trying to see how this works, but i cant seem to get a most basic login to work whilst cookies are turned off. Login.php: <?php session_start(); if(isset($_POST['submit'])){ $_SESSION['loggedin'] = true; header("location:loggedin.php"); } ?> <form action="login.php" method="post" > username: <input type="text" name="user" /> <br /> <input type="submit" name="submit" value="login" /> </form> And loggedin.php: <?php session_start(); if(isset($_POST['submit'])){ session_destroy(); header("location:login.php"); } if($_SESSION['loggedin'] == false){ echo 'You are not logged in. Click <a href="login.php" />here</a> to log in'; }else{ echo 'You are logged in. Hello'; ?> <form action="loggedin.php" method="post"> <input type="submit" name="submit" value="log out" /> </form> <?php } ?> With cookies turned on, this works fine and shows me as logged in. However, when i turn cookies off, i always get the "you are not logged in" message. I have changed my php.ini setting for session.use_trans_sid to 1. I wonder if im just missing something completely stupid. Any help would be appreciated. Quote Link to comment Share on other sites More sharing options...
per1os Posted July 25, 2007 Share Posted July 25, 2007 Its funny that people worry about that. I say screw them if they are not allowing cookies, they should not be on my site. Also if that is your only true validation on each page "$_SESSION['loggedin']" wow, easy for session hijacking and being a "Valid" user. But yea I think you have to instantiate the old session id from the previous form using either GET or POST, not sure I remember this issue back in the day. It would be like $_POST['PHPSESSID'] or $_GET['PHPSESSID'] and you would use www.php.net/session_id to set it I believe. Quote Link to comment Share on other sites More sharing options...
GingerRobot Posted July 25, 2007 Author Share Posted July 25, 2007 Ok, ill give that a go. To be honest, im not really worrying about it. It was an exercise to better understand it. Having tested it before, i always thought cookies HAD to be on for sessions to work - then i found out that wasn't correct, so im just trying to see how it works. Quote Link to comment Share on other sites More sharing options...
GingerRobot Posted July 25, 2007 Author Share Posted July 25, 2007 Yeah, you were right. It seems php either adds a hidden field(for forms) or adds a variable to the end of the query string(for link etc) containing the session id. You do then have to retrieve it from the relevant array and set it using session_id(). Seems strange that it doesn't automatically do anything with header("location:...) transfers though...i had to add the php session id in myself: header("location:http://localhost/loggedin.php?PHPSESSID=".session_id()); At least it works now. Thanks again for the help. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.