In the attempt to keep the URL and code quite clean, and avoid to have a
very loooong url, we have used $_session[] for storing values trough the
pages.
Now, we have some clients that doesn't get any result when going on the
second page. After studying their browser, the confidentiality setting was
at the maximum. On their settings, the site doesn't work well.
Since we can't change the setting for every client, what may we do ?
For passing session variable does it suffice to put a .SID at the end of
every URL as we didn't do it.
And for POST submission, where we want to keep some values, how to we put a
SID at the form tag ?
Bob
10  1885 
>In the attempt to keep the URL and code quite clean, and avoid to have a very loooong url, we have used $_session[] for storing values trough the
pages.
Now, we have some clients that doesn't get any result when going on the
second page. After studying their browser, the confidentiality setting was
at the maximum. On their settings, the site doesn't work well.
This probably means that session cookies are not accepted.
Sessions require passing the session ID around, and the
existing choices are (a) cookie or (b) URL.
Since we can't change the setting for every client, what may we do ?
For passing session variable does it suffice to put a .SID at the end of
every URL as we didn't do it.
You need to pass the SID somehow, and that's one way. Also look
at trans_sid, which may do much the same thing but save you some
work. It puts the session ID in the URL unless it appears that
cookies are working.
And for POST submission, where we want to keep some values, how to we put a
SID at the form tag ?
Hidden field with the SID in it?
Gordon L. Burditt
Bob Bedford wrote: In the attempt to keep the URL and code quite clean, and avoid to have a
very loooong url, we have used $_session[] for storing values trough the
pages.
I would just take the time and remove this "feature" of yours and go
back to using GET variable. A site that's unbookmarkable is far more
annoying to end-users than long URLs. Add to that the inability for
Google to properly index your site and strange behavior with new
window, the aesthetic gain isn't worth it.
"Chung Leong" <ch***********@hotmail.com> a écrit dans le message de news: 11*********************@g43g2000cwa.googlegroups.c om... Bob Bedford wrote: In the attempt to keep the URL and code quite clean, and avoid to have a
very loooong url, we have used $_session[] for storing values trough the
pages.
I would just take the time and remove this "feature" of yours and go
back to using GET variable. A site that's unbookmarkable is far more
annoying to end-users than long URLs. Add to that the inability for
Google to properly index your site and strange behavior with new
window, the aesthetic gain isn't worth it.
In fact the session variable is also used to avoid worring about such GET or
POST variables.
Let's explain: the user make a search about a shoe make.
Then he looks trough the results, changing some pages, going inside articles
to see details, and so on, then want to perform an other search.
At every page, I've to worry about 10-20 variables every time. Putting them
in a session variable, I may ask the variable when needed, without worring
if I passed between all pages. For this I created a bounch of functions to
store and retrieve variable very easely, and it's a pain saving as you don't
forget to pass variables between pages.
That's the main reason we used sessions variable. We don't need to worry
about bookmarking such pages, as they are dynamic. We may use UrlRewrite
later for such needs (altrough we didn't look at this function yet)
Also for Google, we provided a sitemap in order to get all articles without
the need to worry about dynamic pages.
I am wrong ? any advice would greately be appreciated.
Bob
Bob Bedford wrote: In fact the session variable is also used to avoid worring about such GET or
POST variables.
Let's explain: the user make a search about a shoe make.
Then he looks trough the results, changing some pages, going inside articles
to see details, and so on, then want to perform an other search.
At every page, I've to worry about 10-20 variables every time. Putting them
in a session variable, I may ask the variable when needed, without worring
if I passed between all pages. For this I created a bounch of functions to
store and retrieve variable very easely, and it's a pain saving as you don't
forget to pass variables between pages.
Well, the pain of passing variables between pages is less than that of
dealing with session issues. If you bundle the search criteria in an
associative array, appending them to a URL isn't that hard.
I'm mentioning this because I use Firefox's tabs extensively. Given a
list of search results I'd almost inevitably center-click on the items
of interest to view them in separate tabs (so I can quickly jump
between them). Using session for passing variables would lead to very
odd behaviors in this scenario.
That's the main reason we used sessions variable. We don't need to worry
about bookmarking such pages, as they are dynamic.
Just because the pages are dynamically generated doesn't imply that
visitors wouldn't want to bookmark them. Also keep in mind that browse
history functions as an automatic bookmarking mechanism. It's quite
reasonable for someone to want to return to a search done on an earlier
day. Having to reenter the 10/20 parameters you mentioned would be
quite annoying.
I am wrong ? any advice would greately be appreciated.
In programming you usually want to avoid side-effects as much as
possible. You don't want the outcome of an operation to be dependent,
implicitly, on the effects of earlier operations. Passing variable
using sessions mean that the HTTP requests have to arrive in a
particular order. It's not a thing that you should depend on, as you
have no control over the browser or the end-user.
> Well, the pain of passing variables between pages is less than that of dealing with session issues. If you bundle the search criteria in an
associative array, appending them to a URL isn't that hard.
I'm mentioning this because I use Firefox's tabs extensively. Given a
list of search results I'd almost inevitably center-click on the items
of interest to view them in separate tabs (so I can quickly jump
between them). Using session for passing variables would lead to very
odd behaviors in this scenario.
I was taking the line Bob was - sessions for better security - till I
read your explanation about why GET is useful - bookmarking, users not
repeating searches etc. Very correct,indeed. But people learn how to
rewrite urls quite easily these days. For example you will have so many
people writing http://www.google.com/search?my+search+term&hl=en while referring to
specific searches. How does one handle security in such cases. Yes,
encypted cookies stored on the users computer seem to be the best. Am I
right here?(or are there loopholes here as well?) What I can make out
from the two counterpoints is that if you have a section of your site
that gives just information and users need to enter parameters (and
naturally, returning users need to remember searches and bookmark
pages), use GET for that section, whereas, for the section where you
have to accept payments, use POSTs. What do you think?
Also, I have a related problem: even for a POST, Firefox(which is my
favorite as well) displays http://mysite.com/myfile.php?PHPSESS...8a0b096bb73d05
in the URL which is disturbing to say the least after you've spent a
lot of time making a session-oriented application.
What do you to prevent that?
Open to ideas and suggestions,
Regards,
Joseph S.
>In fact the session variable is also used to avoid worring about such GET or POST variables.
Let's explain: the user make a search about a shoe make.
If the user is searching for a shoe make, he might want to bookmark
one of the results so he can come back to it later (perhaps he's
comparison shopping with other sites).
Then he looks trough the results, changing some pages, going inside articles
to see details, and so on, then want to perform an other search.
At every page, I've to worry about 10-20 variables every time. Putting them
in a session variable, I may ask the variable when needed, without worring
if I passed between all pages. For this I created a bounch of functions to
store and retrieve variable very easely, and it's a pain saving as you don't
forget to pass variables between pages.
That's the main reason we used sessions variable. We don't need to worry
about bookmarking such pages, as they are dynamic.
You do need to worry about bookmarking such pages, especially if
you're selling something. If the user can't come back to the page,
you may lose a sale. Now, some things shouldn't be bookmarked (like
a customer's list of what's currently in his shopping basket, or a
partially-completed order, or a map to the store based on the
customer's location), but pages for individual items for sale should
be bookmarkable.
"dynamic pages" are usually an implementation detail. If the
contents of the page depends on things like the item number, search
terms, category, etc. and not on the customer's ID number, customer's
password, or customer's geographic location, chances are it should
be bookmarkable.
We may use UrlRewrite
later for such needs (altrough we didn't look at this function yet)
Also for Google, we provided a sitemap in order to get all articles without
the need to worry about dynamic pages.
Gordon L. Burditt
> You do need to worry about bookmarking such pages, especially if you're selling something. If the user can't come back to the page,
you may lose a sale. Now, some things shouldn't be bookmarked (like
a customer's list of what's currently in his shopping basket, or a
partially-completed order, or a map to the store based on the
customer's location), but pages for individual items for sale should
be bookmarkable.
One other idea that naturally follows is that you can provide visitors
with a "mark as favorite" option or a "store my search" (a prominent
check box) and store a cookie on the user's computer and an entry in
your database (or maybe a php page explicitly for stored searches which
will read the cookie from his computer and direct him to the product
that he searched for after some processing). So it is only one page
that has to do with GET and without POST.
However, I feel it may be better still to design out all the pages and
separate out the GET and POST pages and keep them independent - e.g.
your catalog pages all are http://www.mystore.com/catalog?cat=56&prod_id=65 etc. and your payment
and customer details and payment details pages are all POST.
One security related question: in Apache, how good is the idea of
mapping Aliases for php pages?
e.g.
I make an entry in httpd.conf for
Alias /store C:/Apache2/htdocs/store/displayall.php
and always use the header function like this
header("Location: /store");
or
header("Location: http://www.mysite.com/store");
will it be of any help for security?
BTW, can the Alias entry be put in a .htaccess file?
Joseph S.
Joseph S. wrote: I was taking the line Bob was - sessions for better security - till I
read your explanation about why GET is useful - bookmarking, users not
repeating searches etc. Very correct,indeed. But people learn how to
rewrite urls quite easily these days.
I disagree with the notion that using session to pass variable lead to
better security. If access to a resource identified by a GET parameter
requires proper authorization, then just perform the necessary
authorization checks within that page. That simplifies the security
analysis: if the checks occur, then the resource is safe. In constrast,
when you rely on the user's inability to alter session variables for
security, the analysis is more complicate: the resource is safe only if
the user cannot somehow use other pages to set the session variables to
illegal values. You end up having to prove a negative.
Security by assertion is better than security by prevention. It's
easier to see that something happens correctly than to show that
nothing can go wrong.
Chung Leong wrote:
<snip> I'm mentioning this because I use Firefox's tabs extensively.
<snip>
Great news indeed; IIRC, you were a fan of IE:-). FWIW, I recently
found Tab Mix Plus <http://tmp.gary.elixant.com/> extension is a very
nice piece of tool for FF tab browsing; might help to at least some.
--
<?php echo 'Just another PHP saint'; ?>
Email: rrjanbiah-at-Y!com Blog: http://rajeshanbiah.blogspot.com/
Joseph S. wrote:
<snip> Also, I have a related problem: even for a POST, Firefox(which is my
favorite as well) displays
http://mysite.com/myfile.php?PHPSESS...8a0b096bb73d05
in the URL which is disturbing to say the least after you've spent a
lot of time making a session-oriented application.
What do you to prevent that?
Probably you're using trans sid feature
<http://in2.php.net/session#ini.session.use-trans-sid>; if you turn
this off in php.ini, it won't append session ids.
<news:11**********************@l41g2000cwc.googleg roups.com> ( http://groups.google.com/group/comp....24f27f2b7ac610 )
--
<?php echo 'Just another PHP saint'; ?>
Email: rrjanbiah-at-Y!com Blog: http://rajeshanbiah.blogspot.com/ This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Damien |
last post by:
Hi to all,
I'm currently re-designing our intranet : nice and lean CSS2, cleaned-up
PHP 4.3.7, better-normalized MySQL ;o). So I've started using the
$_SESSION variable instead of register_globals...
|
by: mudge |
last post by:
I'm running PHP Version 4.3.10. I'm trying to make it so that when a
person logs in using a user name and password that their session is
valid and continues for a few months so they don't have to...
|
by: Al Jones |
last post by:
This is a repost form the vbscript newgroup - if this isn't the appropriate
group would you point me toward one that is.
Basically, I seem to be losing session data part way though preparing an...
|
by: Abhilash.k.m |
last post by:
This is regarding the session management using Out of
proc session management(SQL SERVER). Among the samples
below which one is better to set the session?
1. There are 20 session...
|
by: joseph conrad |
last post by:
Hi,
I tried to implement my own session handler in order to keep control on
the process
the drawback I foun it is not creating and storing in my cookie the
PHPSESSID variable anymore.
reading te...
|
by: aroraamit81 |
last post by:
Hi,
I am facing a trouble. I have some Session variables in my code and
somehow my session variables are getting mixed up with other users.
For example User A has access to 10 companies and...
|
by: aroraamit81 |
last post by:
Well Guys, Here is a very strange trouble. When more than one users
request tto same page at the same time then our session gets
conflicted.
Moreover I printed my SessionID, strangely but true I...
|
by: TRB_NV |
last post by:
I'd been using an Access database based shopping cart, but wanted to change
it so that it would use session variables. I have a form that's submitted
to a page called addtocart.asp that contains...
|
by: Santosh |
last post by:
Dear All
i am writting a code sending mail with attachement.
i am writting code for sending mail in one page and code for attaching
a file in the next page.
aftet attaching a file i am taking...
|
by: lyealain |
last post by:
<%
If Session("username") = "" Then
Response.Redirect("/CLS/Login.asp")
End If
Dim conn
Dim connectstr
Dim db_name, db_username, db_userpassword
Dim db_server
Dim res
|
by: aa123db |
last post by:
Variable and constants
Use var or let for variables and const fror constants.
Var foo ='bar';
Let foo ='bar';const baz ='bar';
Functions
function $name$ ($parameters$) {
}
...
|
by: ryjfgjl |
last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
| |
