By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
424,949 Members | 890 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 424,949 IT Pros & Developers. It's quick & easy.

Session ID problem

P: n/a
Hi,

I've this code in my form:
<?php
ini_set('use_trans_sid',1);
session_cache_limiter('private, must-revalidate');
if(!session_is_registered("UID")){
session_start();
$UserID = 0;
if (isset($_SESSION["UID"]) and $_SESSION["UID"] != "")
$UserID = $_SESSION["UID"];}
}
if(!($UserID 0)){
echo 'error passing UserID';
exit;
}
?>
<form name="FormSubmit" method="GET" action="<?php echo
$HTTP_SERVER_VARS['PHP_SELF'].'?'.SID;">

In this form I've a select with a javascript function as depending on the
first value, I've to load a second select
<select NAME="select1" ID="select1" onChange="FormSubmit.submit();">

Now, when I set the confidentiality to "high" or "bloc all cookies" in IE6,
as soon as the form is "submitted" by the value change (onChange), the
UserID is empty and I've the error message on the form.

What's wrong ? the sessionid should be saved on the server and passed by the
?SID, isn'it ?

Please help.

Bob
May 21 '07 #1
Share this Question
Share on Google+
1 Reply


P: n/a
C.
On 21 May, 09:30, "Bob Bedford" <b...@bedford.comwrote:
Hi,

I've this code in my form:
<?php
ini_set('use_trans_sid',1);
session_cache_limiter('private, must-revalidate');
if(!session_is_registered("UID")){
session_start();
$UserID = 0;
if (isset($_SESSION["UID"]) and $_SESSION["UID"] != "")
$UserID = $_SESSION["UID"];}}

if(!($UserID 0)){
echo 'error passing UserID';
exit;}

?>
<form name="FormSubmit" method="GET" action="<?php echo
$HTTP_SERVER_VARS['PHP_SELF'].'?'.SID;">

In this form I've a select with a javascript function as depending on the
first value, I've to load a second select
<select NAME="select1" ID="select1" onChange="FormSubmit.submit();">

Now, when I set the confidentiality to "high" or "bloc all cookies" in IE6,
as soon as the form is "submitted" by the value change (onChange), the
UserID is empty and I've the error message on the form.

What's wrong ? the sessionid should be saved on the server and passed by the
?SID, isn'it ?

Please help.

Bob

Bob,

Try viewing the source of the page being generated.
<form name="FormSubmit" method="GET" action="<?php echo
$HTTP_SERVER_VARS['PHP_SELF'].'?'.SID;">
This is wrong in so many ways:
1) you're using GET as the method on a URL which already contains get
vars
2) you're using the deprecated long variable names (HTTP_SERVER_VARS)
3) you're passing unvalidated/unescaped input back to the browser
4) you should be putting the session in your output
5) using trans_sids is less secure than cookies - it opens up your
site to all sorts of attacks
6) if you're setting the config at runtime, presumably you've not
checked that it doesn't try to set a cookie - if it does, the the SID
constant is blank.

I'd also suggest getting rid of session_cache_limiter() and rolling
your own cache headers. It amkes implementing mixed caching policy
much easier if you only work to one model / API.

Go back and read the manual.

C.

May 21 '07 #2

This discussion thread is closed

Replies have been disabled for this discussion.