Notice my moniker? So, be gentle with me... First question...

If SID is not working in my PHP pages, what is another way to obtain access to the current session id? I tried this:
<?php
echo "<p>Session ID = " . SID . "</p>\n";
?>
and didn't get a displayed value (even though I can see this value when I use PHPINFO() for testing purposes). So, I tried this:
<?php
echo "<p>Session ID = " . $_REQUEST[$_SESSION["name"]] . "</p>\n";
?>
Again, this did not yield a displayed value (even though I can see this value in _REQUEST["PHPSESSID"] and in _COOKIE["PHPSESSID"] when I use PHPINFO() for testing purposes). Note that I am trying to obtain the sesison id without hardcoding what is in session.name (which also shows in PHPINFO(), by the way).

No laughing!:D

SID may or may not be defined (depending on what the cookies are doing) but you can use session_id() (http://www.php.net/manual/en/function.session-id.php) instead.

Adam

Thanks for that -- seems to be working just fine (I don't know why I didn't notice that function in the list of session functions). At any rate... Second question...

I notice in the first PHP page I visit, that PHP has modified all of my hyperlinks by adding a key/value pair showing the session id. However, each subsequent page I visit does not have this same modification done -- even though I continue to be able to access the session id via the function you have indicated. PHPINFO() shows the following (among other things):

Directive Local Value Master Value
------------------------ ----------- ------------
session.use_cookies On On
session.use_only_cookies Off Off
session.use_trans_sid On On

Should I be using something like the following?
<?php
ini_set("session.use_only_cookies", true);
?>
Lastly, in that link you supplied, a comment was added touting the use of code such as the following:
<?php
if (!session_id()) {
session_start();
}
?>
I thought that session_start() could be freely executed at the start of every page and that it would automatically determine whether a new session was required or not. Is that not correct?

to open an existing session, try this:<?php
if(isset($_REQUEST['PHPSESSID']) && !empty($_REQUEST['PHPSESSID']))
{
// opens a session via $_GET['PHPSESSID'] or $_COOKIE['PHPSESSID']
session_start($_REQUEST['PHPSESSID']);
}
else
{
// opens a new session
session_start();
}
?>

Normally, PHP will determine itself whether to alter the URL or use cookies to store the session ID. I assume in your case that it initially alters the URL, but then the cookie is accepted so it uses that instead.

Cookies only is a more secure option, because it lessen the chances of certain attacks involving a cracker getting the session ID. If you want to force this, use the code below, but be aware this means cookies will be required for your website to work:

ini_set('session.use_only_cookies', '1');

The code about checking before starting a session only applies if you could potentially start a session twice (a fairly uncommon occurence) and you need to check if the session has already been opened. Normally, you simply call session_start() as you described.

Adam

Originally posted by AdamGundry
...but be aware this means cookies will be required for your website to work...
Yes, I knew that. What is the easiest way, in PHP, to tell if the visitor's browser is accepting cookies? ...so that you can redirect them to a page that says cookies are required?

well, the steps to test if a browser accepts cookies are:

1. set a cookie (via setcookie() function)
2. force the page to reload (or automatically go to another page - maybe, cookietest.php)
3. check if the cookie has been set
4. if not, then display message.

Since you're using sessions, adapting sydelct's method would probably go something like this:

1. Start a session (with use_only_cookies set), and set a variable in $_SESSION
2. Move to another page
3. On that page, test if the variable in $_SESSION is still set
4. If not, then display a message

Adam

Adam, yup, I think that would do the trick!

Since my pages are not always entered in a particular order (because of direct advertising to one page or another), I cannot use that precise method. In fact, I was hoping for a single-page method (without reload) of determining such information (I can't use redirect, and I probably can't use reload, because those sites that provide such direct advertising require that a single click on the browser [Back] button is sufficient to return the surfer to their site). I guess I will just have to satisfy myself with whether the session cookie exists at the point where the surfer actually tries to add something to their shopping cart. Thanks.

Otherwise... I tried implementing the ini_set() function and I'm not getting the desired result (i.e., the first page is still getting its URL's modified). Ideas?

I have this as the very first lines in each page:
<?php
if (isset($_REQUEST['PHPSESSID'])
&& !empty($_REQUEST['PHPSESSID'])) {
session_start($_REQUEST['PHPSESSID']);
} else {
ini_set('session.use_only_cookies', '1');
session_start();
}
?>

Well, in that case, you really have no choice since PHP manual says that cookies are made available when new page is viewed (or reload is made). Excerpt from php setcookie manual:

Once the cookies have been set, they can be accessed on the next page load with the $_COOKIE or $HTTP_COOKIE_VARS arrays.

As for ini_set, I'm not sure. PHP manual says it should be changeable.

One thing, it should be:

ini_set("session.use_only_cookies", "1");

and not:

ini_set("session.use_only_cookies", true);

Originally posted by sydelct
One thing, it should be:

ini_set("session.use_only_cookies", "1");

and not:

ini_set("session.use_only_cookies", true);
I don't have the word true in there. See my last post.

You don't need to be quite that complex, because PHP will automatically detect an existing session:

ini_set('session.use_only_cookies', '1');
session_start();

Regarding ini_set not working, try checking the value it returns. If it is FALSE, it was unable to change the setting (perhaps because of security settings).

Adam

Originally posted by AdamGundry
You don't need to be quite that complex, because PHP will automatically detect an existing session:
That is what I asked earlier and didn't get a direct answer.
Originally posted by phpnovice
I thought that session_start() could be freely executed at the start of every page and that it would automatically determine whether a new session was required or not. Is that not correct?
Thanks.
Originally posted by AdamGundry
Regarding ini_set not working, try checking the value it returns. If it is FALSE, it was unable to change the setting (perhaps because of security settings).
Thanks, I'll check that.

On the subject of detecting whether a valid PHP session currently exists... I need code at the start of my shopping cart page which will determine if a current, and valid, PHP session exists (as a result of the client's browser accepting cookies). Is the code I previously posted (though apparently too complex for every page) the correct code to use on my shopping cart page for the purpose I just outlined?

Sorry, I should have been clearer in my earlier post. The simpler code should be fine for most pages, but if you need to test if a session was passed the if statement will work. However, you should probably replace the hard-coded 'PHPSESSID' with session_name(), so your code will not break if the session is ever renamed.

Also note that session_start() takes no parameters.

Adam

Originally posted by AdamGundry
Sorry, I should have been clearer in my earlier post. The simpler code should be fine for most pages, but if you need to test if a session was passed the if statement will work. However, you should probably replace the hard-coded 'PHPSESSID' with session_name(), so your code will not break if the session is ever renamed.
Good! Unbreakable is that for which I'm looking. ;)
Originally posted by AdamGundry
Also note that session_start() takes no parameters.
Cool! Always good to have correct information. :D

By the way, as you surmised, ini_set() is returning a false value and I have written to my IPP to find out why. Thanks.

I haven't heard from my IPP, but I tried some different code and, now, I'm confused as to what is happening. I have this as the very first lines in all of my pages:
<?php
$i = ini_set('session.use_only_cookies', '1');
session_start();
?>

and I have this later in the BODY of these pages:
<?php
if (i == false) {
echo '<p>ini_set() = false</p>';
} else {
echo "<p>ini_set() = succeeded {$i}</p>";
}
?>

What is showing when I surf to my pages is this -- on every one of them:
ini_set() = succeeded 0
However, no matter which page I surf to first, that page still gets its links modified with the session id and all of the rest of the pages don't. Does this mean it PHP just does not report when site security is preventing me from changing this setting? ...or, what?

If that was a straight quote, you need to use

if ($i === false) {

insead of

if (i == false) {

Adam

Originally posted by AdamGundry
If that was a straight quote, ...
Yes, that was a straight quote. Sorry. Being new to PHP (from ASP, Assembler, COBOL, JavaScript, VB6, VBA, and VBScript), it is hard to remember to always include those pesky dollar signs on the variable names. As for the other part of what you changed... Why does the following yield "succeeded 0":
<?php
if ($i == false) {
echo '<p>ini_set() = false</p>';
} else {
echo "<p>ini_set() = succeeded {$i}</p>";
}
?>
and the following yield "false" on the same value of the $i variable?
<?php
if ($i === false) {
echo '<p>ini_set() = false</p>';
} else {
echo "<p>ini_set() = succeeded {$i}</p>";
}
?>
Thanks.

Don't worry about it - I am forever forgetting my dollar signs.

The difference between the code sections is in the operator being used. Two equal signs is the normal equality operator, which (obviously) checks to see if its operands are the same value. However, three equal signs (the identity operator) checks the type as well.

PHP can do very strange things when comparing types - see the manual (http://www.php.net/manual/en/types.comparisons.php). To be honest, I'm not sure why you are getting the behaviour described, but I'm guessing that false is the actual value being returned. Try using var_dump() (http://www.php.net/var_dump) for more reliable human-readable results, or is_bool() (http://www.php.net/is_bool) in code.

Adam

OK, using this code:
<?php
var_dump($i);
if ($i === false) {
echo "<p>ini_set() = failed {$i}</p>";
} else {
echo "<p>ini_set() = succeeded {$i}</p>";
}
?>
I'm getting these results on every page (seven of them):
string(1) "0"

ini_set() = succeeded 0
from having previously executed this code:
<?php
$i = ini_set('session.use_only_cookies', '1');
session_start();
?>
Yet, the links in the first page are modified by PHP with the session id and all of the subsequent pages are not. Now, if the "succeeded" part of this output is to be believed, I would expect the output from ini_set() to be "0" on the first page and "1" on each subsequent page -- since the returned value (if not false) is supposed to be the value of the setting before it is changed. Correct? So, any ideas what's happening here?

That's strange. ini_set() appears to be working - you are right in that it is returning the old value of '0'. I'm not sure why PHP is ignoring the setting, but I know there are some bugs with transparent session rewriting. If you have access to your php.ini file (http://www.php.net/manual/en/configuration.php#configuration.file) (depends on your host) then try manually setting session.use_only_cookies in that file. Alternatively you could try one of these as a workaround:

ini_set('session.use_trans_sid', '0'); // Disables transparent SID support
or
ini_set('url_rewriter.tags', ''); // Tells the URL rewriter not to change anything

Adam

Thanks for that. I included both of those in every one of my pages right before the code shown in my previous posts. The first page is now no longer having its links modified with the session ID (yippee!) -- and the same session ID is still available with each subsequent page. I'm going to do some more testing/playing with it, but I think we have a workable solution. Thanks, again. ;)