If cookies are not available, you can either hide the id in the hidden form field element or enable trans_sid to automatically pass the session id in the url bastien> From: warren@xxxxxxxxxxxx> To: kelvinpark86@xxxxxxxxx; php-general@xxxxxxxxxxxxx> Date: Fri, 17 Aug 2007 17:03:54 -0700> Subject: RE: About Session And Cookies> > Kelvin,> > Sessions is just one of the items recommended for an e-commerce website. I> seem to recall that if cookies were not enabled that there was a way of> passing the session id in the URL as a "Get" parameter.> > Basically you will store the items to be purchased in a special table and a> shopper ID or cart ID number will be assigned with the first selected item> and needs to be retained to be able to recall the selected items when the> shopper is ready to check out. A session variable is a good place to store> this id, but it could also be passed in the form as a hidden field. A> session is also a convenient way of providing a generic storage of the items> to be purchased, separate table is possibly more common. You don't have to> be too concerned about security up to the point where someone begins to> check out when you begin gathering personal information from the buyer.> Give it some thought, but I suspect in most cases that if someone were to> capture a session at this point, the worse that could happen is they would> both order and pay for the same items.> > When you gather personal information it becomes a different matter, and at> this point I would first recomment you consider passing your order items to> a resource like paypal and let them collect the personal information. If> that is not possible you will want to switch to SSL communication with the> browser before when you present your form for the personal information, and> even in this mode I would recommend that if you detect errors on the forma> and need to represent the form for the buyer to correct info, toss away the> credit card info and have them reenter it. You do not want to store this in> your session, or anywhere on your system without really secure incryption> (I'm talking about the DB side here, not the SSL channel to the browser).> > Once you begin collecting personal information (and this is not limited to> the obvious like social security numbers), you should make sure the session> cannot be hijacked, to prevent identity theft, this is where cookies work so> well. Anyone who doesn't allow cookies is forcing you into a situation> where you must expose their session information in the URL or a hidden field> on the form where it can be hijacked, in which case I would refuse to have> them as a customer, it's not worth the risk.> > Hope this helps,> > Warren> > > -----Original Message-----> From: Kelvin Park [mailto:kelvinpark86@xxxxxxxxx] > Sent: Friday, August 17, 2007 3:02 PM> To: php-general@xxxxxxxxxxxxx> Subject: About Session And Cookies> > I am trying to setup a secure login system.> I've heard that if I use just cookies for login, members without cookie> turned out won't be able to see the member pages.> > Is using session recommended for e-commerce websites with shopping carts?> Or, using both of them might be more effective in some way.> > -- > PHP General Mailing List (http://www.php.net/)> To unsubscribe, visit: http://www.php.net/unsub.php> _________________________________________________________________ Invite your mail contacts to join your friends list with Windows Live Spaces. It's easy! http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends.aspx&mkt=en-us
