[PHP] url rewriting within sessions - confused newbie needs h elp

[Peter Walter]

Mike,

Thanks for the additional explanation, and I understand the sequence of
events as you described. However, please bear with me a bit - the
results I am getting do not quite match your explanation. Let me clarify
what I am doing:

I have a page (index.php) which starts out by calling start_session(),
then emits some html code containing some form variables for search
criteria. After the form variables, I have a "submit" button that refers
to index.php. Following that, I have php logic that extracts the search
criteria (if set) from $HTTP_POST_VARS, performs a MySQL query, then
creates a table of results (if any); one of the table entries contains a
<a href= link to determine which row the user selected.

The first time I load the page, I assume the session is created by
start_session(), and the cookie is sent to the browser. When I click on
the "submit" button, the page is reloaded - I assume with the session
active - as per your explanation. According tho the documentation I have
read, the second time the page is loaded, start_session() will simply
reuse the existing session parameters. At this point, the browser should
already have the cookie - if it did not, I would not be able to retrieve
the session variables - but the url links in the table are still
rewritten. I do not understand why.

Being new to the "stateless" paradigm of web applications, and to php, I
feel a bit nervous about coding when I do not quite grasp what is going on.

Peter

Ford, Mike [LSS] wrote:

>On 11 December 2003 16:54, Peter Walter wrote:
>
>
>
>>Jason,
>>
>>Thanks for your help. It is a little clearer to me now.
>>However, I have
>>visited php sites that *claim* to be using session management
>>but where
>>the links do not have the session id appended, and there are no
>>variables being passed in the url for links. The url is always in the
>>form "www.somesite.com/index.php" or just "www.somesite.com".
>>In these
>>cases, how is the url rewriting being suppressed for the links on the
>>page? I simply want to understand the technique.
>>
>>
>
>If "url rewriting" (session.use_trans_sid) is enabled, and your browser is
>accepting cookies, then the sequence of events goes like this:
>
>1. First request to your site -- browser has no cookie set, so cannot send
>it.
>
>2. PHP responds with a page, including a header to set the PHPSESSID cookie;
>because, at this stage, PHP has no idea whether your browser will accept
>cookies, it also rewrites all URLs contained in the page to include a
>PHPSESSID= parameter.
>
>3. Your browser displays the page, and sets the cookie.
>
>4. You click a link to get the next page -- in addition to sending a request
>for the URL containing the PHPSESSID= parameter, your browser also sends the
>newly-set PHPSESSID cookie.
>
>5. PHP responds with the new page, but, because it has received the
>PHPSESSID cookie in the previous step it now knows your browser is accepting
>cookies and does not bother to do any URL rewriting.
>
>6. None of the URLs in the new page have the PHPSESSID= parameter appended
>-- transmission of the session id is now solely via the PHPSESSID cookie.
>
>Various things can influence this behaviour:
>
>- If your browser is not accepting cookies, URL rewriting will always occur
>and you will continue to see PHPSESSID= parameters appended.
>
>- If session.use_trans_sid is not set, PHP will do no URL rewriting but will
>attempt to use cookies (if enabled) -- if your browser doesn't accept
>cookies, sessions will fail to work (unless you manually append PHPSESSID=
>parameters where needed -- the SID built-in constant is provided for this).
>
>- If session.use_cookies is not set, PHP will not even attempt to use a
>cookie for the session id.
>
>- If session.use_only_cookies is set, PHP will use *only* cookies to store
>the session id -- again, if your browser is not accepting cookies, sessions
>will not work.
>
>As you can see, there are many ways of setting this up, with a few subtle
>nuances -- and some of the combinations don't actually make much sense
>(use_trans_sid=1 and use_only_cookies=1, for instance). Note that you *can*
>set it up so that PHP does no automatic PHPSESSID setting at all
>(use_trans_sid=0 and use_cookies=0) -- then it's up to you to manually
>append the PHPSESSID= parameter to all appropriate URLs.
>
>Cheers!
>
>Mike
>
>---------------------------------------------------------------------
>Mike Ford, Electronic Information Services Adviser,
>Learning Support Services, Learning & Information Services,
>JG125, James Graham Building, Leeds Metropolitan University,
>Beckett Park, LEEDS, LS6 3QS, United Kingdom
>Email: m.f...@leedsmet.ac.uk
>Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211
>
>

[Mike Ford]

[Mike Ford]

On 11 December 2003 18:01, Peter Walter wrote:

> Mike,
>
> Thanks for the additional explanation, and I understand the
> sequence of events as you described. However, please bear
> with me a bit - the results I am getting do not quite match
> your explanation. Let me clarify what I am doing:
>
> I have a page (index.php) which starts out by calling
> start_session(),

I hope you mean session_start().

> then emits some html code containing some
> form variables for search criteria. After the form variables,
> I have a "submit" button that refers to index.php. Following
> that, I have php logic that extracts the search criteria (if
> set) from $HTTP_POST_VARS, performs a MySQL query, then
> creates a table of results (if any); one of the table entries
> contains a <a href= link to determine which row the user selected.
>
> The first time I load the page, I assume the session is
> created by start_session(), and the cookie is sent to the
> browser. When I click on the "submit" button, the page is
> reloaded - I assume with the session active - as per your
> explanation. According tho the documentation I have read, the
> second time the page is loaded, start_session() will simply
> reuse the existing session parameters. At this point, the
> browser should already have the cookie - if it did not, I
> would not be able to retrieve the session variables

Well, you would, because PHP would use the value from the PHPSESSID= URL parameter.

> - but the
> url links in the table are still rewritten. I do not understand why.

My immediate reaction to this is that session.use_cookies must be set to 0 (or Off) in your php.ini (or equivalent). Have you checked this? If it looks correct, what does a phpinfo() page show?

[Mike Ford]

On 11 December 2003 19:58, Peter Walter wrote:

> I hope you mean session_start().
>

> Yes, I did. Getting a bit dyslexic nowadays.

>
>
> Well, you would, because PHP would use the value from the PHPSESSID=
> URL parameter.
>

> ... except that on the second call, the url (as displayed by
> the browser) does not contain the PHPSESSID parameter, yet I
> am still able to retrieve the session variables correctly ...

Well, that seems right (and is different from your previous explanation). Go back and read my original description of the process -- especially steps 5 and 6. Once PHP knows that your browser is accepting cookies, it stops appending the PHPSESSID= URL parameters, and the cookie takes over the job.