very strange Session behaviour

**TheServant** · Nov 30 '09, 11:33 AM

You can completely disable URL SIDs by adding the following to your htaccess file:
php_value session.use_tra ns_sid 0
php_value session.use_onl y_cookies 1

From here. Apologies if you have already tried that.

**Dormilich** · Nov 30 '09, 11:40 AM

Apologies if you have already tried that.

yes, I’ve already tried that. but these option are overwritten when cookies are disabled in the browser (it all works well if cookies are enabled)

Code:

class Session
{
	/**
	 * @var (string) $ID            session ID
	 * @var (int) $uoc              session via cookie
	 * @var (bool) $clt             use URL for ID submit
	 * @var (bool) $cho             cookie script access
	 */
	protected static $ID = NULL;
	public static $clt   = 0; // cookie persistence time
	public static $uoc   = true; // SID only in cookie
	public static $cho   = true; // cookie not available for client scripts
	
	/**
	 * set php.ini values (cookie-only-session, magic gpc off) and
	 * begin/continue the session.
	 * 
	 * @param (int) $lifetime      session cache lifetime (min)
	 * @return (void)
	 */
	public function __construct(
		$lifetime = 30
	)
	{
		if (self::$ID === NULL)
		{
			ini_set('session.gc_maxlifetime',   $lifetime*60);
			ini_set('session.use_only_cookies', self::$uoc);
			ini_set('session.cookie_lifetime',  self::$clt);
			ini_set('session.cookie_httponly',  self::$cho);
			session_start();
			self::$ID = session_id();
		}
	}

// etc.

**Markus** · Nov 30 '09, 12:34 PM

That is strange behaviour - maybe you should open a bug.

**Dormilich** · Nov 30 '09, 12:36 PM

I have already done that (#50308).

**Dormilich** · Nov 30 '09, 02:15 PM

after some trials I found that if I add another attribute after the href, ID insertion works correct.

**Frinavale** · Dec 1 '09, 02:52 PM

Sorry for being such a newbie but does this happen with regular old PHP?
It seems really weird to me that it would do this.

In ASP.NET we have a web.config file where we can specify how Session behaves (could use cookieless session etc)

It seems very weird to me that PHP would put session identifiers into links etc on it's own.

Are you using some sort of PHP framework? Is that what's causing this?

-Frinny

**Dormilich** · Dec 1 '09, 04:08 PM

In ASP.NET we have a web.config file where we can specify how Session behaves (could use cookieless session etc)

how is a cookieless session done in ASP.NET?

It seems very weird to me that PHP would put session identifiers into links etc on it's own.

it does if there is no other possibility to keep the session. (if you don’t have cookies, where would you write the session id?)

**Frinavale** · Dec 1 '09, 04:12 PM

Cookieless sessions in ASP.NET put the session identifier into the URL. They are not secure because the identifier is in plain view...but people like to use them for insecure applications that allow more than one user to use the same session.

If you aren't using cookieless sessions in ASP.NET and cookies are turned off, then the ASP.NET application cannot use session. I still think it's very weird that PhP automatically assumes that you want to add the session identifier to links etc.

There must be a way to configure it not to do this.

**Dormilich** · Dec 1 '09, 04:21 PM

Cookieless sessions in ASP.NET put the session identifier into the URL.

the same as in PHP.

If you aren't using cookieless sessions in ASP.NET and cookies are turned off, then the ASP.NET application cannot use session.

PHP rather uses above method, than abandon the session (further code may depend on it)

it's very weird that PhP automatically assumes that you want to add the session identifier to links etc.

if you enable cookies, PHP won’t do this (unles you say so in php.ini)

**Frinavale** · Dec 1 '09, 04:32 PM

If I'm using session, and cookies have to be enabled to do so, I just write a simple JavaScript function that attempts to add a cookie. If the cookie can't be added then I display a message stating that the user has to enable cookies if they want to use the application.

Likewise I use the <noscript> tag to tell the user that they have to have JavaScript enabled (mainly because ASP.NET uses JavaScript to submit to the web server during certain client side events).

-Frinny

**Dormilich** · Dec 1 '09, 10:35 PM

it’s not as if I need the session (further, the session is deleted after half an hour). it just caches results from the page assembly. I can change that, if I’m able to do caching on the server. most people have cookies enabled anyways (and half the people use IE, which is not affected by this bug, because of its inability to use XHTML)

and I’m a fan of unobtrusive JavaScript.

very strange Session behaviour

very strange Session behaviour

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment