*im really sorry for interupting* The session.use_trans_sid setting automaticly adds > sid=**(32-chars-sess-id)** > to the url's of the website, it should solve your problem try to use it if you have an access to php.ini otherwise, my suggestion is to forward a compiled (coded or something like that) version of the id in all the links, urls, and requests manualy. you can also write the user ip and/or agent and/or system and/or other crap like that, and give each of them a unique id that forward within the links - in this way you can build up a login system that does NOT require sessions/cookies, all you have to do is that after the login completed, you should forward an compiled string that contains some crap like a md5 of the user and pass with some salt and check the string at each page (its can get hijacked quickly but this is out of discussion). sorry for going out of the topic i wrote that without any attention so im sorry for anything that will misled you on the wrong direction, hope it helps, Nitsan On 04/04/2008, Thiago Pojda <thiago.pojda@xxxxxxxxxxxxxxxxxx> wrote: > > De: Daniel Brown [mailto:parasane@xxxxxxxxx] > Probably because of the fear of session hijacking and spoofing. > The thing is, a handwritten cookie is just as effective for > that, by changing the PHPSESSID (or equivalent). In any case, > a 32-byte hexadecimal hash should be sufficient security for > most sessions. > > </Daniel P. Brown> > > > Yes, that's what they say. > > But anyway, adding that setting did not change a thing and I still can't > see > my sessid anywhere in my code. > > What will happen if I do it manually? Add the sessionid in a hidden input > field in every form (I don't feel like doing it, but if I have to...) will > do it? > > Sorry to be asking too much, but I can't seem to be able to test it and > the > docs are very poor for this. > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > >
