One of the problems with sessions is that, by default, they rely on the use of a cookie to work properly. When a session is started, it sends a cookie that resides in the user's Web browser. Every subsequent page that calls session_start() makes use of the cookie, which contains the session name and ID, to know to use an existing session and not to create a new one. The problem is that users may have cookies turned off in their Web browser or may not accept the cookie because they do not understand its purpose. If this is the case, PHP will create a new session for each page and none of the registered variables will be accessible.
You can use sessions without cookies by passing along the session name and ID from page to page. This is simple to do, but if you forget to pass the session in only one instance, the entire process is shot.
To pass the session name from page to page, you can use the SID constant, which stands for session ID and has a value like session_name=session_ID. If this value is appended to every URL within the site, the session will still work even if the user did not accept the cookie.
After the redirection (header()) line to be
header("Location: http://" . $_SERVER['HTTP_POST] . dirname($_SERVER['PHP_SELF']) ."loggedin.php?" .SID);
The addition of ? and SID to the redirect will add ?session_name=session_ID to the URL, effectively passing the session ID to the loggedin.php script.
If you copy the URL from the browser and paste it into another browser. You can still log in the Web site. This is called session hijacking and one of the reason to rely upon cookies whenever possible.
(PHP and MySQL for Dynamic Web Sites, Visual Quickpro Guide (2003, Larry Ullman, Peachpit Press))
PHP 6 and MySQL 5 for Dynamic Web Sites: Visual QuickPro Guide
PHP for the World Wide Web, Third Edition
You can use sessions without cookies by passing along the session name and ID from page to page. This is simple to do, but if you forget to pass the session in only one instance, the entire process is shot.
To pass the session name from page to page, you can use the SID constant, which stands for session ID and has a value like session_name=session_ID. If this value is appended to every URL within the site, the session will still work even if the user did not accept the cookie.
After the redirection (header()) line to be
header("Location: http://" . $_SERVER['HTTP_POST] . dirname($_SERVER['PHP_SELF']) ."loggedin.php?" .SID);
The addition of ? and SID to the redirect will add ?session_name=session_ID to the URL, effectively passing the session ID to the loggedin.php script.
If you copy the URL from the browser and paste it into another browser. You can still log in the Web site. This is called session hijacking and one of the reason to rely upon cookies whenever possible.
(PHP and MySQL for Dynamic Web Sites, Visual Quickpro Guide (2003, Larry Ullman, Peachpit Press))
PHP 6 and MySQL 5 for Dynamic Web Sites: Visual QuickPro Guide
PHP for the World Wide Web, Third Edition
Comments