PHPSESSID and Internet Explorer

Hello,

Some of you know the problem about the phpsessid in IE:

Every windows gets his own ID that will say there are several sessions at the same time (very bad)
what is the best way to solve this?

set a cookie like:

Code:

<?php
if(!$_COOKIE['PHPSESSID']) setcookie("PHPSESSID",  session_id());

or using this directive:
session.use_only_cookies

or something different?

[Join us @ facebook]

I had the same problem too, but I haven't looked at it yet.

I will post you when I check this out.

There are only new session id's for new windows if they are opend f.e. via the shortcut on your desktop. If you navigate through a link (tartget=blank) then the same ID is used. Is this a problem for IE users?

[Join us @ facebook]

I am not sure this is happening.

At least I have used sites with new window links that kept the session.

I am not sure this is happening.

At least I have used sites with new window links that kept the session.

This is what I say a link opened in  a new window is OK but if you open a new window bij clicking the blue E and entering the same website via the address bar it goed wrong.

[Join us @ facebook]

Oh, I see.

The only thing you can do about that is managing sessions with cookies (I mean with real cookies, as sessions as using cookies anyway)

this is the problem I think:

If the server time is not properly set, e.g(it is behind the client time).    Excution of the following code

session_set_cookie_params(2000);
session_start();

will NOT set/send cookie to  Internet Explorer 6.0,

even though it will set the cookie on Mozilla/Firebird browser.  But the cookie will get set without the session_set_cookie_params();

Same holds true for following code,

$expiry = 60*30;
session_start();
setcookie(session_name(),session_id(), time()+$expiry, "/");
 

For some reason IE is really sensitive to cookie times. It won't even accept the cookie!!
 This took me quite a while to figureout, for I thoguht it was an IE cookie security issue.

[Join us @ facebook]

Regarding sessions, it keeps cookies only for the current browser session.

To make it keep the cookie you have to use the cookie functions without using session ( session_start )

Regarding sessions, it keeps cookies only for the current browser session.

To make it keep the cookie you have to use the cookie functions without using session ( session_start )

this is the magic: session_set_cookie_params(2000);

but how many seconds?

[Join us @ facebook]

I guess 2000 seconds is fine, but it also depends on the security level you want for the specific site.


For a forum you can set it to 30 minutes, but for a web application 15 minutes is a lot.

I guess 2000 seconds is fine, but it also depends on the security level you want for the specific site.


For a forum you can set it to 30 minutes, but for a web application 15 minutes is a lot.

yes right, but if you have re-opend a window within this 15 minutes you can continue the old session?

[Join us @ facebook]

If it is stored in a cookie, you can.

If it is stored in a cookie, you can.

you have always a cookie, if session_start() is used (at last in FF)

[Join us @ facebook]

That's true, but IE will keep this cookie only in the open browser (in other words the session cookie does not work as a reqular cookie in IE)

... what if the phpsessid cookie is expired and you are logged in on some page, do you have to log in again?

That's true, but IE will keep this cookie only in the open browser (in other words the session cookie does not work as a reqular cookie in IE)

yes that's looks to be the difference, that why it's only available in the "first" main window (and his childs)

[Join us @ facebook]

... what if the phpsessid cookie is expired and you are logged in on some page, do you have to log in again?

You can set the expiriation time of the cookie on every page load. This way it will work like a normal session.

You can set the expiriation time of the cookie on every page load. This way it will work like a normal session.

you say I have to use f.e. the this value "gc_maxlifetime" in every page? this way each session and phpsessid has the same experation time? and if someone has logged out I have to set a negative value to the cookie?

[Join us @ facebook]

No. The gc_lifetime is a general attribute. Not for the specific cookie.

I think what you need here is to set_cookie again in every pageview.

If the user log out you can destroy the cookie(eg. setcookie ('XXX', "", time() - 3600) ).

yes but the genarel value should be the same (by default) then my cookie value...

with this kind of code:

Code:

<?php
$expire = ini_get("session.gc_maxlifetime");
if (empty($_COOKIE['PHPSESSID'])) {
session_set_cookie_params($expire);
session_start();
} else {
session_start();
setcookie("PHPSESSID", session_id(), time() + $expire);
}
?>

[Guest]

[62.861]

Googlebot, Yahoo crawler