Session/cookie hell on earth

[salewit]

Ok, I'm fairly new to PHP. I'm trying to create a shopping cart program using session variables. Everything works great... for me. When I was finally ready to unveil it for the big boss he says he couldn't log on. I was perplexed. The login portion was really simple.

So I kind of heard or read a little something somewhere that said sessions uses cookies. I set my privacy level in my IE browser to not allow any cookies and sure enough I couldn't log on either. Whether my boss had his settings like this, or he was behind a firewall (he's at a fairly large company), I don't know. All I know is that now I have to come up with some solution.

Is there a way to maintain "state" without using sessions or cookies? Is there a way to use sessions without cookies? Some have said if your cookies are disabled that the session ID will be put in the URL. This isn't happening on my end. Is this something I have to manually check for and put into the URL?

As you can see I'm a little lost here. Any help would be much appreciated.

Sam

[G.Bloke]

PHP sessions use a fall back system I was going to type out an explanation but why bother when so many sites out there already explain better than I could So I quote:

There are two methods to propagate a session id:

Cookies

URL parameter

The session module supports both methods. Cookies are optimal, but since they are not reliable (clients are not bound to accept them), we cannot rely on them. The second method embeds the session id directly into URLs.

PHP is capable of doing this transparently when compiled with --enable-trans-sid. If you enable this option, relative URIs will be changed to contain the session id automatically. Alternatively, you can use the constant SID which is defined, if the client did not send the appropriate cookie. SID is either of the form session_name=session_id or is an empty string.

If you are testing the script on a Jag server just open a ticket and they'll make sure that PHP is compiled with --enable-trans-sid. (you could check yourself first with php_info())

[salewit]

Well thanks for your help, but I'm still about ready to pull my hair out. I ran phpinfo() and session.use_trans_sid is already on. I didn't have to ask. It looks like it's on for everyone.

session.use_cookies On On
session.use_only_cookies Off Off
session.use_trans_sid On On

So here's what I did. I created two php files... page1.php and page2.php. I also set my browser to not accept any cookies from anyone. 100% off. Then closed it and re-opened it and went to:

page1.php

<?php
session_start();
session_register("testvar1");
$testvar1 = "Apple";
?>
<html>
<head>
<title>Untitled</title>
</head>
<body>
Page 2<br>
<?php
print session_save_path() . "<br>";
print session_id() . "<br>";
print $testvar;
?>
</body>
</html>

Page 2 is identical except for that I commented out line 2 and 3.

The result I get for page1 is:

Page 1
/tmp
2406abd079e5e7b044dee98238e457b8
Apple

The address bar of my browser simply has the page1.php address in it. NO session ID embedded.

When I run Page 2, it's identical except $testvar is empty now.

I understand why the session variable didn't show up, but I also expected the ID not to show up also. How did the session ID show up without cookies? Where was it stored? And how do I use session variables with cookies blocked? And if cookies are disabled yet the session ID is still coming through, why would I EVER need to have the session ID embedded in the URL?

Very confused!

[jason]

Are you sure that the Session ID is identical on both pages? Page two may be generating a new, but very similar, ID. If the session ID was the same, you should have seen the value of $testvar on Page 2.

Every time you call session_start() PHP looks for an existing Session ID. If it finds one, it loads the store variables into your script. If it can't find one it creates a new one. I believe PHP uses the uniqid() function, which is based on the current time, to generate the session ID, so it is very likely that two ID's generated within a short period of time will only have one or two characters difference between them.

--Jason

[salewit]

Ahhh you're right! The sessions were different. I didn't realize that. So what is my next step? How do I maintain "state" between pages with cookies not being accepted AND session.use_trans_sid being turned ON but apparently not putting the session in the URL automatically?

I'd prefer to use session variables, but if it isn't possible, I guess I can use some kind of "key" in association with a MySQL database or something.

Can I just create my own random "session ID" number, and use that in a database? I guess I'd have to do cleanup periodically though. Just thinking out loud.

Sam

[jason]

Try this: on page 1, add an spandard HTML <a> link to page 2, something like <a href="page2.php">Page 2</a>. See if the SID is inserted into that automatically. Try putting it outside of <? and ?> tags as well as inside with print() or echo(). If all goes as it should, the session id that you generate on page 1 should automatically be inserted into the link.

If that doesn't work, try using the following:

echo("<a href=\"page2.php?" . SID . "\">Page 2</a>");

That should force the Session ID into your links.

As for your other though, creating your own sessions is possibility, too. I've done it a few times myself. The easiest way to create your session ids is to use the uniqid() function or make an md5 hash of the current time (ex: md5(time())). If you do that you'll have to make sure that you pass the id in every link and form on your site, whereas with PHP's session handling it should take care of that for you.

--Jason

[salewit]

Well sure enough that did it! Actually all the different methods you suggested did it. The one adding the SID had the PHPSESSID in the url twice.

The weird thing is the first time I loaded page1.php and clicked on the link, it sent the ID. When I went from page2 back to one it didn't. Then I realized I was accepting all cookies (as usual). When I blocked all, then they went back and forth every time.

Thanks so much for the help!
Sam

[jason]

You're welcome. Glad you got it figured out.

--Jason