473,889 Members | 1,484 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Session HELP !

In the attempt to keep the URL and code quite clean, and avoid to have a
very loooong url, we have used $_session[] for storing values trough the
pages.

Now, we have some clients that doesn't get any result when going on the
second page. After studying their browser, the confidentiality setting was
at the maximum. On their settings, the site doesn't work well.

Since we can't change the setting for every client, what may we do ?

For passing session variable does it suffice to put a .SID at the end of
every URL as we didn't do it.

And for POST submission, where we want to keep some values, how to we put a
SID at the form tag ?

Bob
Oct 4 '05 #1
10 1918
>In the attempt to keep the URL and code quite clean, and avoid to have a
very loooong url, we have used $_session[] for storing values trough the
pages.

Now, we have some clients that doesn't get any result when going on the
second page. After studying their browser, the confidentiality setting was
at the maximum. On their settings, the site doesn't work well.
This probably means that session cookies are not accepted.
Sessions require passing the session ID around, and the
existing choices are (a) cookie or (b) URL.
Since we can't change the setting for every client, what may we do ?

For passing session variable does it suffice to put a .SID at the end of
every URL as we didn't do it.
You need to pass the SID somehow, and that's one way. Also look
at trans_sid, which may do much the same thing but save you some
work. It puts the session ID in the URL unless it appears that
cookies are working.
And for POST submission, where we want to keep some values, how to we put a
SID at the form tag ?


Hidden field with the SID in it?

Gordon L. Burditt
Oct 4 '05 #2
Bob Bedford wrote:
In the attempt to keep the URL and code quite clean, and avoid to have a
very loooong url, we have used $_session[] for storing values trough the
pages.


I would just take the time and remove this "feature" of yours and go
back to using GET variable. A site that's unbookmarkable is far more
annoying to end-users than long URLs. Add to that the inability for
Google to properly index your site and strange behavior with new
window, the aesthetic gain isn't worth it.

Oct 4 '05 #3

"Chung Leong" <ch***********@ hotmail.com> a écrit dans le message de news:
11************* ********@g43g20 00...legro ups.com...
Bob Bedford wrote:
In the attempt to keep the URL and code quite clean, and avoid to have a
very loooong url, we have used $_session[] for storing values trough the
pages.


I would just take the time and remove this "feature" of yours and go
back to using GET variable. A site that's unbookmarkable is far more
annoying to end-users than long URLs. Add to that the inability for
Google to properly index your site and strange behavior with new
window, the aesthetic gain isn't worth it.


In fact the session variable is also used to avoid worring about such GET or
POST variables.
Let's explain: the user make a search about a shoe make.
Then he looks trough the results, changing some pages, going inside articles
to see details, and so on, then want to perform an other search.
At every page, I've to worry about 10-20 variables every time. Putting them
in a session variable, I may ask the variable when needed, without worring
if I passed between all pages. For this I created a bounch of functions to
store and retrieve variable very easely, and it's a pain saving as you don't
forget to pass variables between pages.

That's the main reason we used sessions variable. We don't need to worry
about bookmarking such pages, as they are dynamic. We may use UrlRewrite
later for such needs (altrough we didn't look at this function yet)
Also for Google, we provided a sitemap in order to get all articles without
the need to worry about dynamic pages.

I am wrong ? any advice would greately be appreciated.

Bob
Oct 5 '05 #4

Bob Bedford wrote:
In fact the session variable is also used to avoid worring about such GET or
POST variables.
Let's explain: the user make a search about a shoe make.
Then he looks trough the results, changing some pages, going inside articles
to see details, and so on, then want to perform an other search.
At every page, I've to worry about 10-20 variables every time. Putting them
in a session variable, I may ask the variable when needed, without worring
if I passed between all pages. For this I created a bounch of functions to
store and retrieve variable very easely, and it's a pain saving as you don't
forget to pass variables between pages.
Well, the pain of passing variables between pages is less than that of
dealing with session issues. If you bundle the search criteria in an
associative array, appending them to a URL isn't that hard.

I'm mentioning this because I use Firefox's tabs extensively. Given a
list of search results I'd almost inevitably center-click on the items
of interest to view them in separate tabs (so I can quickly jump
between them). Using session for passing variables would lead to very
odd behaviors in this scenario.
That's the main reason we used sessions variable. We don't need to worry
about bookmarking such pages, as they are dynamic.
Just because the pages are dynamically generated doesn't imply that
visitors wouldn't want to bookmark them. Also keep in mind that browse
history functions as an automatic bookmarking mechanism. It's quite
reasonable for someone to want to return to a search done on an earlier
day. Having to reenter the 10/20 parameters you mentioned would be
quite annoying.
I am wrong ? any advice would greately be appreciated.


In programming you usually want to avoid side-effects as much as
possible. You don't want the outcome of an operation to be dependent,
implicitly, on the effects of earlier operations. Passing variable
using sessions mean that the HTTP requests have to arrive in a
particular order. It's not a thing that you should depend on, as you
have no control over the browser or the end-user.

Oct 5 '05 #5
> Well, the pain of passing variables between pages is less than that of
dealing with session issues. If you bundle the search criteria in an
associative array, appending them to a URL isn't that hard.

I'm mentioning this because I use Firefox's tabs extensively. Given a
list of search results I'd almost inevitably center-click on the items
of interest to view them in separate tabs (so I can quickly jump
between them). Using session for passing variables would lead to very
odd behaviors in this scenario.


I was taking the line Bob was - sessions for better security - till I
read your explanation about why GET is useful - bookmarking, users not
repeating searches etc. Very correct,indeed. But people learn how to
rewrite urls quite easily these days. For example you will have so many
people writing
http://www.google.com/search?my+search+term&hl=en while referring to
specific searches. How does one handle security in such cases. Yes,
encypted cookies stored on the users computer seem to be the best. Am I
right here?(or are there loopholes here as well?) What I can make out
from the two counterpoints is that if you have a section of your site
that gives just information and users need to enter parameters (and
naturally, returning users need to remember searches and bookmark
pages), use GET for that section, whereas, for the section where you
have to accept payments, use POSTs. What do you think?

Also, I have a related problem: even for a POST, Firefox(which is my
favorite as well) displays
http://mysite.com/myfile.php?PHPSESS...8a0b096bb73d05
in the URL which is disturbing to say the least after you've spent a
lot of time making a session-oriented application.
What do you to prevent that?

Open to ideas and suggestions,
Regards,
Joseph S.

Oct 5 '05 #6
>In fact the session variable is also used to avoid worring about such GET or
POST variables.
Let's explain: the user make a search about a shoe make.
If the user is searching for a shoe make, he might want to bookmark
one of the results so he can come back to it later (perhaps he's
comparison shopping with other sites).
Then he looks trough the results, changing some pages, going inside articles
to see details, and so on, then want to perform an other search.
At every page, I've to worry about 10-20 variables every time. Putting them
in a session variable, I may ask the variable when needed, without worring
if I passed between all pages. For this I created a bounch of functions to
store and retrieve variable very easely, and it's a pain saving as you don't
forget to pass variables between pages.

That's the main reason we used sessions variable. We don't need to worry
about bookmarking such pages, as they are dynamic.
You do need to worry about bookmarking such pages, especially if
you're selling something. If the user can't come back to the page,
you may lose a sale. Now, some things shouldn't be bookmarked (like
a customer's list of what's currently in his shopping basket, or a
partially-completed order, or a map to the store based on the
customer's location), but pages for individual items for sale should
be bookmarkable.

"dynamic pages" are usually an implementation detail. If the
contents of the page depends on things like the item number, search
terms, category, etc. and not on the customer's ID number, customer's
password, or customer's geographic location, chances are it should
be bookmarkable.
We may use UrlRewrite
later for such needs (altrough we didn't look at this function yet)
Also for Google, we provided a sitemap in order to get all articles without
the need to worry about dynamic pages.


Gordon L. Burditt
Oct 5 '05 #7
> You do need to worry about bookmarking such pages, especially if
you're selling something. If the user can't come back to the page,
you may lose a sale. Now, some things shouldn't be bookmarked (like
a customer's list of what's currently in his shopping basket, or a
partially-completed order, or a map to the store based on the
customer's location), but pages for individual items for sale should
be bookmarkable.


One other idea that naturally follows is that you can provide visitors
with a "mark as favorite" option or a "store my search" (a prominent
check box) and store a cookie on the user's computer and an entry in
your database (or maybe a php page explicitly for stored searches which
will read the cookie from his computer and direct him to the product
that he searched for after some processing). So it is only one page
that has to do with GET and without POST.
However, I feel it may be better still to design out all the pages and
separate out the GET and POST pages and keep them independent - e.g.
your catalog pages all are
http://www.mystore.com/catalog?cat=56&prod_id=65 etc. and your payment
and customer details and payment details pages are all POST.

One security related question: in Apache, how good is the idea of
mapping Aliases for php pages?
e.g.
I make an entry in httpd.conf for
Alias /store C:/Apache2/htdocs/store/displayall.php
and always use the header function like this
header("Locatio n: /store");
or
header("Locatio n: http://www.mysite.com/store");

will it be of any help for security?

BTW, can the Alias entry be put in a .htaccess file?

Joseph S.

Oct 5 '05 #8
Joseph S. wrote:
I was taking the line Bob was - sessions for better security - till I
read your explanation about why GET is useful - bookmarking, users not
repeating searches etc. Very correct,indeed. But people learn how to
rewrite urls quite easily these days.


I disagree with the notion that using session to pass variable lead to
better security. If access to a resource identified by a GET parameter
requires proper authorization, then just perform the necessary
authorization checks within that page. That simplifies the security
analysis: if the checks occur, then the resource is safe. In constrast,
when you rely on the user's inability to alter session variables for
security, the analysis is more complicate: the resource is safe only if
the user cannot somehow use other pages to set the session variables to
illegal values. You end up having to prove a negative.

Security by assertion is better than security by prevention. It's
easier to see that something happens correctly than to show that
nothing can go wrong.

Oct 6 '05 #9
Chung Leong wrote:
<snip>
I'm mentioning this because I use Firefox's tabs extensively.

<snip>

Great news indeed; IIRC, you were a fan of IE:-). FWIW, I recently
found Tab Mix Plus <http://tmp.gary.elixan t.com/> extension is a very
nice piece of tool for FF tab browsing; might help to at least some.

--
<?php echo 'Just another PHP saint'; ?>
Email: rrjanbiah-at-Y!com Blog: http://rajeshanbiah.blogspot.com/

Oct 6 '05 #10

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

2
3313
by: Damien | last post by:
Hi to all, I'm currently re-designing our intranet : nice and lean CSS2, cleaned-up PHP 4.3.7, better-normalized MySQL ;o). So I've started using the $_SESSION variable instead of register_globals and a couple "better pratice" code. Not perfect, but better. Problem : I'm testing everything with Firefox on my machine (IIS on WinXP Pro), and everything is ok. As soon as I try MS IE 6, it doesn't seem to keep the sessions from page to...
1
4379
by: mudge | last post by:
I'm running PHP Version 4.3.10. I'm trying to make it so that when a person logs in using a user name and password that their session is valid and continues for a few months so they don't have to log in each time they come to the site. In a .htaccess file I set session.cookie_lifetime to 20736000 seconds and I set session.gc_maxlifetime to 20736000 It works for about 30 minutes. A user can login and then close their browser and then...
6
2396
by: Al Jones | last post by:
This is a repost form the vbscript newgroup - if this isn't the appropriate group would you point me toward one that is. Basically, I seem to be losing session data part way though preparing an email from (possibly) three seperate forms. the following code is the end of a routine which stashes data from the first form off to session variables and then redirects itself to the proper form / procedure depending upon the state of two...
5
2464
by: Abhilash.k.m | last post by:
This is regarding the session management using Out of proc session management(SQL SERVER). Among the samples below which one is better to set the session? 1. There are 20 session variables and all of them are being stored into session and accessed from session and individual session object. Example: Session = "XYZ", Session=100, Session="NAME", etc.
0
3245
by: joseph conrad | last post by:
Hi, I tried to implement my own session handler in order to keep control on the process the drawback I foun it is not creating and storing in my cookie the PHPSESSID variable anymore. reading te documentation it seems it should do it anyway any advice?
14
2390
by: aroraamit81 | last post by:
Hi, I am facing a trouble. I have some Session variables in my code and somehow my session variables are getting mixed up with other users. For example User A has access to 10 companies and User B has access to 5, now when both of us hits to the server at the same time then their session variables gets mixedup means either User A and USer B will have now 5 companies or both have 10 companies. Now again when User A hits to the server...
7
3975
by: aroraamit81 | last post by:
Well Guys, Here is a very strange trouble. When more than one users request tto same page at the same time then our session gets conflicted. Moreover I printed my SessionID, strangely but true I got the exact same SessionID as of other users's. Well I guess nothing wrong with my code, do I need to set any property in Web.Config file??
0
2495
by: TRB_NV | last post by:
I'd been using an Access database based shopping cart, but wanted to change it so that it would use session variables. I have a form that's submitted to a page called addtocart.asp that contains the following information: intProdID -- ProductID strProdName -- Product Name intQuant -- Quantity intProdPrice -- Price productType -- Type of product (ie. Wine, Cheese, etc...)
1
2608
by: Santosh | last post by:
Dear All i am writting a code sending mail with attachement. i am writting code for sending mail in one page and code for attaching a file in the next page. aftet attaching a file i am taking name of that file from attaching file page to email page through in session file .i am giving a facility of attaching five files to user . and i am taking names of both files in session variables but user attach less than five five
5
2446
by: lyealain | last post by:
<% If Session("username") = "" Then Response.Redirect("/CLS/Login.asp") End If Dim conn Dim connectstr Dim db_name, db_username, db_userpassword Dim db_server Dim res
0
9962
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
0
9810
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
1
10889
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
0
10442
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
0
9609
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
1
7993
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
0
6029
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
1
4647
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
3
3256
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.