why use session id in URL?

Re: why use session id in URL?

If you use the url, you don't need cookies turned on

Ian



crescent_au@yah oo.com wrote:

Re: why use session id in URL?


crescent_au@yah oo.com wrote:The PHP session system uses cookies to track users by default. (The
browser sends the a cookie created by PHP with a phrase PHP can use to
lookup up user information). If PHP can't use cookies (i.e. you set
it), it tags the session ID along on every URL. You're not missing out
on anything. Cookies are actually prefered because they are more secure
and make URL look better.

Re: why use session id in URL?

crescent_au@yah oo.com wrote:
As not everyone uses cookies, as they are so commonly used to track what sites
a person visits, so cookie based sessions won't work for everyone.


//Aho

Re: why use session id in URL?

That's a good point.

Although PHP will attempt to use session cookies by default, it will
rewrite links and form submissions if cookies are unable to be set. You
should note that it uses & in the querystring, which will break an
XHTML document served as application/xhtml+xml. You can change that in
php.ini. Under data handling, the arg_separator.o utput field can be
changed to &, if so desired.

Curtis

On Nov 26, 10:04 pm, "J.O. Aho" <u...@example.n etwrote:

Re: why use session id in URL?

Most everyone uses cookies; it makes url's easier to manage and read.
Another problem pops up when people who don't understand session ids
(most everyone) sends a link to someone else - the session ID is
transmitted too, and suddenly they're logged in on someone elses
account.

phpBB uses cookies to store its session ids. However when you're
logged into the admin control panel, the session id is stored in the
url (and I would assume, the cookie too) this is presumably an
additional security feauture.

"As not everyone uses cookies, as they are so commonly used to track
what sites
a person visits, so cookie based sessions won't work for everyone."
While there are certainly people who don't allow any cookies, these
people are more than used to having websites not work. There is no
reason to cater to a group like that.

Re: why use session id in URL?

dimo414 wrote:
There are "firewalls" which filters away cookies, as default setting, which
can make the user unaware that they don't use cookies.

A site that can work under different circumstances, is a well done site, while
a site that require that everyone has X and feature Y is a badly done site and
we shouldn't even talk about sites that by default makes users of Z to not be
able to use it.


//Aho

Re: why use session id in URL?

>Most everyone uses cookies; it makes url's easier to manage and read.

Surfers do not unblock cookies "because it makes url's easier to
manage and read". Surfers do not manage URLs and only rarely read
them. They may unblock cookies but not for that reason. Webmasters
do not get to unblock cookies for surfers, except perhaps for making
the site unusable without them, in which case many surfers will
just leave.
Webmasters who don't time out sessions are asking for trouble here.
Although the problem can still exist, even a 2-hour timeout (restarted
every time a user reloads a page) can prevent a lot of problems with
URLs posted to USENET.