On Wed, August 16, 2006 10:56 pm, Michael B Allen wrote: > On Thu, 17 Aug 2006 12:06:08 +1000 > Chris <dmagick@xxxxxxxxx> wrote: > >> Michael B Allen wrote: >> > Searching through the logs and browsing my site (see sig) I >> sometimes see >> > PHPSESSID is used as opposed to cookies. I know it's not simply >> that the >> > client doesn't support cookies because I can see the same IP >> transition >> > to and from using PHPSESSID. Can someone explain why this is >> happening? >> >> Is session.use_trans_sid switched on? > > Yes. It is. After reading about it I can't quite see what benifit it > provides. Should I just turn it off? If your userbase has been convinced by the idiot Media that Cookies are Evil, you should just leave it on. If you think COOKIES are somehow safer than GET args for data transmission, turn it off. [*] * Based on your Active Directory post, I'll assume you know COOKIE is as amenable to sniffing as GET, and that the only potential differenes are: 1. Users seldom export and forward Cookies, but often send URLs to their friends. 2. The dumbest of the dumb can munge a URL. Altering a Cookie require poking around in the "Options..." in current browsers, or editing text files in older browsers. 3. Cookies can be set to be transmitted ONLY via SSL, which is good. 4. In PHP 5, with browsers that support it, Cookies can be sent only over HTTP... Though any Real Hacker (tm) could work around this anyway, so it seems kinda pointless to me... -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
