On 09 May 2007 16:36, ccspencer@xxxxxxxxxxxx wrote: > Ford, Mike writes: > > > > > You can also set up php.ini and use the built-in sessions with > > > > http://php.net/session_start so that PHP will take care of this > > > > for you. > > > > > > That is what I was intending to do. How do I find out if > > > whether or not the session cookie was accepted using the > > > built-in sessions? I found no function for such a test. > > > > Check the SID constant after you've done session_start(). If it has > > an empty value, the session is using cookies; otherwise, it'll have > > a value of the form 'sessionname=sessionid', which is what is > > appended to the URL (or inserted in forms as a hidden value) to > > propagate the session-id. > > Interesting idea. > > This brings up a question. In order to decide whether to use cookies > or SID the built-in sessions must be testing to see if the user's > browser will accept the session cookies. How do they do that? By sending it out and checking to see whether it comes back on the next page. Assuming your setup is: session.use_cookies = On session.use_only_cookies = Off session.use_trans_sid = On Then the sequence is this: 1. The first page involving a session will *both* send the cookie *and* append the SID to URLs in the page. 2. So the next page request will return the SID, and if cookies are enabled also the cookie. 3. On starting the session for this page, PHP will first look for the cookie: if it's present, its value will be used and SID defined as empty; if not, the browser must not be accepting cookies, so the value from the URL query string is used and SID is defined with the matching string. 4. PHP now knows whether cookies are in use *for this request*, and *either* sends the cookie *or* appends the SID to URLs in the page. 5. Requests from this page will thus *either* return the cookie *or* include the SID as a URL get parameter. 6. Go back to 3. Note that with this setup, you will *always* get at least one request with the SID in the URL. Any site that doesn't do this has use_only_cookies turned on or/and use_trans_sid turned off. > If they do it by the "2 page", send a cookie and see if it comes > back to the second page method we have been talking about, then > somehow, they are sureptiously inserting a forward to a non- > existant page! Right? How do they do that? No, see above: they simply wait for the next regular page request to come in and see if the cookie came with it. Nothing surreptitious or super-clever. Cheers! Mike --------------------------------------------------------------------- Mike Ford, Electronic Information Services Adviser, JG125, The Headingley Library, James Graham Building, Leeds Metropolitan University, Headingley Campus, LEEDS, LS6 3QS, United Kingdom Email: m.ford@xxxxxxxxxxxxxx Tel: +44 113 812 4730 Fax: +44 113 812 3211 To view the terms under which this email is distributed, please go to http://disclaimer.leedsmet.ac.uk/email.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
