usage of session.cookie_secure

Re: usage of session.cookie_ secure

chotiwallah@web .de (chotiwallah) wrote in message news:<782d6cb.0 406240903.4d59f dbc@posting.goo gle.com>...[color=blue]
> i'm setting session.cookie_ secure = "on" via .htaccess and it works -
> confirmed by phpinfo(). this i tought enforces a secure transmission
> of the session-id.
>
> as far as i can see, the session cookie gets set, but i don't seem to
> be able to store any vars in the session? am i missing something?[/color]

Are you sure that your pages are over HTTP_S_?

--
| Just another PHP saint |
Email: rrjanbiah-at-Y!com

Re: usage of session.cookie_ secure

ng4rrjanbiah@re diffmail.com (R. Rajesh Jeba Anbiah) wrote in message news:<abc4d8b8. 0406250143.12bc 2c9d@posting.go ogle.com>...[color=blue]
> chotiwallah@web .de (chotiwallah) wrote in message news:<782d6cb.0 406240903.4d59f dbc@posting.goo gle.com>...[color=green]
> > i'm setting session.cookie_ secure = "on" via .htaccess and it works -
> > confirmed by phpinfo(). this i tought enforces a secure transmission
> > of the session-id.
> >
> > as far as i can see, the session cookie gets set, but i don't seem to
> > be able to store any vars in the session? am i missing something?[/color]
>
> Are you sure that your pages are over HTTP_S_?[/color]

sorry for not answering for so long.

well, the browser tells me that the session cookie is accepted only
via a secure transmission.
i did some more testing and noticed that the session-id in the cookie
changes whenever i call the session again - i suppose it doesn't
change on the server, and that's why the id's don't match and the
variable don't get registered properly.

so is the changing of the id part of the security or just weird
behavior?

micha

Re: usage of session.cookie_ secure

chotiwallah@web .de (chotiwallah) wrote in message news:<782d6cb.0 406302219.3c3a6 f6b@posting.goo gle.com>...
<snip>[color=blue]
> well, the browser tells me that the session cookie is accepted only
> via a secure transmission.[/color]

You mean via https?
[color=blue]
> i did some more testing and noticed that the session-id in the cookie
> changes whenever i call the session again - i suppose it doesn't
> change on the server, and that's why the id's don't match and the
> variable don't get registered properly.[/color]

Have you enabled full error reporting? BTW, what is your version and OS?

--
| Just another PHP saint |
Email: rrjanbiah-at-Y!com

Re: usage of session.cookie_ secure

ng4rrjanbiah@re diffmail.com (R. Rajesh Jeba Anbiah) wrote in message news:<abc4d8b8. 0407010426.55e4 8505@posting.go ogle.com>...[color=blue]
> chotiwallah@web .de (chotiwallah) wrote in message news:<782d6cb.0 406302219.3c3a6 f6b@posting.goo gle.com>...
> <snip>[color=green]
> > well, the browser tells me that the session cookie is accepted only
> > via a secure transmission.[/color]
>
> You mean via https?
>[color=green]
> > i did some more testing and noticed that the session-id in the cookie
> > changes whenever i call the session again - i suppose it doesn't
> > change on the server, and that's why the id's don't match and the
> > variable don't get registered properly.[/color]
>
> Have you enabled full error reporting? BTW, what is your version and OS?[/color]

well, there are no error messages, the variables just don't register.

whenever i enable session.use_tra ns_sid and the id gets transmitted
via the url, the sessions work, because then the same id is used
every time. i suppose that whenever i use secure session cookies and
no trans_sid, the id on the server remains the same, while the id in
the cookie changes with every session call, so they match for the
first script, but not further.

the whole thing is under php 4.2.2, apache 1.3.26 on linux knuth
2.4.19

Re: usage of session.cookie_ secure

i just tested under php 4.2.3 on apache 1.3.24/win2k - same problem.

Re: usage of session.cookie_ secure

chotiwallah@web .de (chotiwallah) wrote in message news:<782d6cb.0 407012208.4b59a 4d9@posting.goo gle.com>...[color=blue]
> ng4rrjanbiah@re diffmail.com (R. Rajesh Jeba Anbiah) wrote in message news:<abc4d8b8. 0407010426.55e4 8505@posting.go ogle.com>...[color=green]
> > chotiwallah@web .de (chotiwallah) wrote in message news:<782d6cb.0 406302219.3c3a6 f6b@posting.goo gle.com>...
> > <snip>[color=darkred]
> > > well, the browser tells me that the session cookie is accepted only
> > > via a secure transmission.[/color]
> >
> > You mean via https?
> >[color=darkred]
> > > i did some more testing and noticed that the session-id in the cookie
> > > changes whenever i call the session again - i suppose it doesn't
> > > change on the server, and that's why the id's don't match and the
> > > variable don't get registered properly.[/color]
> >
> > Have you enabled full error reporting? BTW, what is your version and OS?[/color]
>
> well, there are no error messages, the variables just don't register.
>
> whenever i enable session.use_tra ns_sid and the id gets transmitted
> via the url, the sessions work, because then the same id is used
> every time. i suppose that whenever i use secure session cookies and
> no trans_sid, the id on the server remains the same, while the id in
> the cookie changes with every session call, so they match for the
> first script, but not further.
>
> the whole thing is under php 4.2.2, apache 1.3.26 on linux knuth
> 2.4.19[/color]

Unfortunately, you didn't answer my questions _or_ I couldn't
understand your answers.

1. Is your pages are over httpS? If not, what do you mean by secure
cookie transmission?
2. Have you enabled full error reporting? if not, add the following
two lines in the beginning of your script and then retry.
error_reporting (E_ALL);
ini_set('displa y_errors', 1);
3. Post a small piece of your code which causes the problem.
4. What is your client browser/OS?
5. Post your session settings (found in INI file).

I'm going for weekend rest; I'll be back Monday evening. If you post
these details, I'm sure someone here might help you.

--
"Believe it or not, patriotism is one of the worst dividing forces"
Email: rrjanbiah-at-Y!com

Re: usage of session.cookie_ secure

chotiwallah@web .de (chotiwallah) wrote in message news:<782d6cb.0 407012221.2253c 69d@posting.goo gle.com>...[color=blue]
> i just tested under php 4.2.3 on apache 1.3.24/win2k - same problem.[/color]

I assume secure cookies are only sent when you're using a https
connection. E.g. if you use plain http, they never reach the client's
browser.

I may very well be wrong here, never seen anyone state what the secure
flag means, but the questions from other people tryin to help you
seems to confirm this.

Re: usage of session.cookie_ secure

test174_8@hotma il.com (Droolboy) wrote in message news:<36ae3a0c. 0407040425.a714 529@posting.goo gle.com>...[color=blue]
> chotiwallah@web .de (chotiwallah) wrote in message news:<782d6cb.0 407012221.2253c 69d@posting.goo gle.com>...[color=green]
> > i just tested under php 4.2.3 on apache 1.3.24/win2k - same problem.[/color]
>
> I assume secure cookies are only sent when you're using a https
> connection. E.g. if you use plain http, they never reach the client's
> browser.
>
> I may very well be wrong here, never seen anyone state what the secure
> flag means, but the questions from other people tryin to help you
> seems to confirm this.[/color]


well, i did some more reading...

it seems that secure session cookies work only if the whole page is
send via https - which is exactly the thing i was trying to avoid.
nevertheless, thanks for all the help.

micha