-----Mensagem original----- De: Nitsan Bin-Nun [mailto:nitsanbn@xxxxxxxxx] <snip> The session.use_trans_sid setting automaticly adds > sid=**(32-chars-sess-id)** > to the url's of the website, it should solve your problem </snip> ME -> I added "session.use_trans_sid = 1" to the beggining of my php.ini file and I don't see that sid parameter in any $_GET value. ME -> Nothing has changed, nothing. :/ ME -> Will I have to use url_rewrite()? Is that what Daniel was talking about? try to use it if you have an access to php.ini otherwise, my suggestion is to forward a compiled (coded or something like that) <SNIP> you should forward an compiled string that contains some crap like a md5 of the user and pass with some salt and check the string at each page (its can get hijacked quickly but this is out of discussion). ME -> That sounds good, but too much effort to rebuild all hrefs. The system is quite big for that. sorry for going out of the topic i wrote that without any attention so im sorry for anything that will misled you on the wrong direction, hope it helps, Nitsan ME-> That was not OT, and quite good to know :) Thanks, Thiago {As of now, I'm only going to top post :)} On 04/04/2008, Thiago Pojda <thiago.pojda@xxxxxxxxxxxxxxxxxx> wrote: > > De: Daniel Brown [mailto:parasane@xxxxxxxxx] > Probably because of the fear of session hijacking and spoofing. > The thing is, a handwritten cookie is just as effective for that, by > changing the PHPSESSID (or equivalent). In any case, a 32-byte > hexadecimal hash should be sufficient security for most sessions. > > </Daniel P. Brown> > > > Yes, that's what they say. > > But anyway, adding that setting did not change a thing and I still > can't see my sessid anywhere in my code. > > What will happen if I do it manually? Add the sessionid in a hidden > input field in every form (I don't feel like doing it, but if I have > to...) will do it? > > Sorry to be asking too much, but I can't seem to be able to test it > and the docs are very poor for this. > > > -- > PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: > http://www.php.net/unsub.php > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
