[phplib-users] Session url() method

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

I note that the session4.inc module in phplib defers to PHP4's native session 
management and URL rewriting in the url() method.  There's one shortcoming of 
this implementation.  As the PHP documentation states, if session.use_trans_sid 
is set,  "_relative_ URIs will be changed to contain the session id 
automatically." (emphasis mine)

Formerly if one were to set $sess->mode to "get", the url() method could be 
used to append the SID to both relative and absolute URIs.  This is no longer 
possible for absolute URIs, and I had to patch session4.inc with code from the 
older session.inc to restore this functionality.

This comes up very specifically in an e-commerce situation where it's necessary 
to link to a secure page on the same server to collect customer info.  For 
instance, a shopping catalog page may be at http://www.vendor.com/catalog.php, 
but the checkout page may be at https://secure.webhost.com/vendor/checkout.php.  
If a session cookie is set in the catalog page, the secure checkout page falls 
outside the cookie domain and so session continuity is lost.  The logical 
solution here is to put the session name and SID into the URL as GET data.

It's probably possible to use a call to setcookie() to work around this, but 
the behavior expected in previous versions of the url() session method is no 
longer supported.

-- 
Lindsay Haisley       | "Fighting against human |     PGP public key
FMP Computer Services |    creativity is like   |      available at
512-259-1190          |    trying to eradicate  | <http://pubkeys.fmp.com>
http://www.fmp.com    |        dandelions"      |
                      |      (Pamela Jones)     |