Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Securing Php Sessions Without Relying on Cookies

Posted on 2004-04-06
3
Medium Priority
?
513 Views
Last Modified: 2011-09-20
Hi,

I am fairly new at php programming so please bear this in mind!

I have created a website in php that uses standard session code that if cookies are not enabled tags the session to the url. The problem that this presents is that if a logged in user sends the url to another user - with the tagged session attached to the url, the new user will have access to the users session  - and therefore be able to access the users profile etc. The only way I can fix this is stopping the session being carried in the url.  Users therefore have to have cookies enabled to use the site (login) - not entirely desirable.

Is there a secure way to pass the session data between pages without running the risk of users giving away their session data.

Thanks

JKNA_Chaps
0
Comment
Question by:JKNA_Chaps
  • 3
3 Comments
 
LVL 27

Accepted Solution

by:
Asta Cu earned 375 total points
ID: 10765565
Have you searched our database here in the PHP Topic Area specifically to see if this has already been solved?

Does this, rather interesting,  workaround to session cookies help you at all?

The following describes the easiest way I have found to force users to log into an ASP.NET website for each session but not require them to accept cookies. You must do the following things.

Create a Web.config file with the appropriate entries to allow session state management.
Create a well formed Global.asax file with the code below included in it.
Create a login page to authenticate users against a database or whatever method you desire.
More here.
http://www.codeproject.com/aspnet/NoCookieSessionLogin.asp

----

Session cookies are deleted when browser is closed, but while in session, the problem you see if left logged in.

----

I also found the following article enlightening in researching your question, and hope it adds value for you as well:
Note: Session handling was added in PHP 4.0.

Sessions and security and much more here:
http://www.phpfreaks.com/phpmanual/page/ref.session.html
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 10765577
Meant to include this synopsis from the above link....  Session support is enabled in PHP by default. If you would not like to build your PHP with session support, you should specify the --disable-session option to configure.

0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 10774623
Thank you, I'm pleased to have been of some help to you.  Hopefully the next time we meet, I can provide you with what you deem to be "A" level support.
":0)
Asta
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I had to do a bit of research to find the answer to this question so I thought I'd share my results.  Due to our outdated mainframe systems, we need to downgrade IE9 to IE8 in order to stay compatible.  We also needed to downgrade Java.  In order to…
I recently found myself in a Corporate Situation where the client had requested blocking access to any and all websites except his own Domain? Easy? I am sure this would be your answer but their requirement was, this has to be done without using…
Google currently has a new report that is in beta and coming soon to Webmaster Tool accounts. This Micro Tutorial will highlight new features for Google Webmaster Tools.
How to create a custom search shortcut to site-search Experts Exchange using Google in the Firefox browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch your Bookmark Menu: Press 'Ctrl +…

963 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question