Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
445 views
in Technique[技术] by (71.8m points)

php session.use_trans_sid

I am not clear on the meaning and usage of php's session.use_trans_id .

On the online documentation, it says:

the run-time option session.use_trans_sid are enabled, relative URIs will be changed to contain the session id automatically. Does this mean it will ALWAYS add the session id? Or only when cookies are not working?

Will it automatically add it to javascript's window.location or ajax calls?

Also, in the php.ini file, it says:

trans sid support is disabled by default.
Use of trans sid may risk your users security.
Use this option with caution.
 - User may send URL contains active session ID
   to other person via. email/irc/etc.
 - URL that contains active session ID may be stored
   in publically accessible computer.
 - User may access your site with the same session ID
   always using URL stored in browser's history or bookmarks.
 http://php.net/session.use-trans-sid

I'm confused, the online docs said that Unless you are using PHP 4.2.0 or later, you need to enable it manually. So why would it be disabled by default? (I'm using php 5).

Also, isn't this feature NECESSARY to handle users with cookies disabled?

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

"Does this mean it will ALWAYS add the session id? Or only when cookies are not working?"

  • Only when cookies are not working. Plus, if both session.use_trans_sid and session.use_cookies are 1, then session.use_only_cookies decides: 1 will disable URL-rewriting. See this nice article.

"Will it automatically add it to javascript's window.location or ajax calls?"

  • No. PHP does not know what Ajax is, it just rewrites literal URLs in its page output buffer (note how any linked scripts will break the session as soon as they have a hardcoded URL to the site).

"Unless you are using PHP 4.2.0 or later, you need to enable it manually"

  • That (indeed confusingly) meant recompiling PHP < 4.2. For PHP5, it's just disabled in the config (for reasons you quoted from php.ini).

"Also, isn't this feature NECESSARY to handle users with cookies disabled?"

  • Yes, it is. (Unless you provide some custom Javascript + PHP solution for some highly special case with crippled usability & generous trade-offs.)

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...