Solved

Securing Php Sessions Without Relying on Cookies

Posted on 2004-04-06
3
499 Views
Last Modified: 2011-09-20
Hi,

I am fairly new at php programming so please bear this in mind!

I have created a website in php that uses standard session code that if cookies are not enabled tags the session to the url. The problem that this presents is that if a logged in user sends the url to another user - with the tagged session attached to the url, the new user will have access to the users session  - and therefore be able to access the users profile etc. The only way I can fix this is stopping the session being carried in the url.  Users therefore have to have cookies enabled to use the site (login) - not entirely desirable.

Is there a secure way to pass the session data between pages without running the risk of users giving away their session data.

Thanks

JKNA_Chaps
0
Comment
Question by:JKNA_Chaps
  • 3
3 Comments
 
LVL 27

Accepted Solution

by:
Asta Cu earned 125 total points
ID: 10765565
Have you searched our database here in the PHP Topic Area specifically to see if this has already been solved?

Does this, rather interesting,  workaround to session cookies help you at all?

The following describes the easiest way I have found to force users to log into an ASP.NET website for each session but not require them to accept cookies. You must do the following things.

Create a Web.config file with the appropriate entries to allow session state management.
Create a well formed Global.asax file with the code below included in it.
Create a login page to authenticate users against a database or whatever method you desire.
More here.
http://www.codeproject.com/aspnet/NoCookieSessionLogin.asp

----

Session cookies are deleted when browser is closed, but while in session, the problem you see if left logged in.

----

I also found the following article enlightening in researching your question, and hope it adds value for you as well:
Note: Session handling was added in PHP 4.0.

Sessions and security and much more here:
http://www.phpfreaks.com/phpmanual/page/ref.session.html
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 10765577
Meant to include this synopsis from the above link....  Session support is enabled in PHP by default. If you would not like to build your PHP with session support, you should specify the --disable-session option to configure.

0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 10774623
Thank you, I'm pleased to have been of some help to you.  Hopefully the next time we meet, I can provide you with what you deem to be "A" level support.
":0)
Asta
0

Featured Post

ScreenConnect 6.0 Free Trial

Explore all the enhancements in one game-changing release, ScreenConnect 6.0, based on partner feedback. New features include a redesigned UI, app configurations and chat acknowledgement to improve customer engagement!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
IE11 stops playing video on a certain website 10 78
How to specify a browser 14 57
WebSite Direction 1 41
What's the deal with browsers that fail to open current web pages? 9 31
Now-a-days, indirectly, postal services have been replaced by email services. Yes, whenever we hear the word "email" a lot of people only think of gmail. Some people still think that email and gmail are one and the same thing :-). Let's see some …
Internet is a big network which is formed by connecting multiple small networks.It is a platform for all the users which are connected to it.Internet act as platform in different fields. Such as: Internet  as a collaboration platform. Internet  as…
This Micro Tutorial will demonstrate how to add subdomains to your content reports. This can be very importing in having a site with multiple subdomains.
Shows how to create a shortcut to site-search Experts Exchange using Google in the Chrome browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch the Search Engine Menu: In chrome, via you…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question