Dizkus

Hi,

I have been passed the requirement for one of my installs that PN not place any cookies on the client machine. Currently, when you log into PN, a POSTNUKESID cookie is passed to your client (which sets your session ID).

Can this be turned off and the session ID be appended to the URL? (I've looked around but didn't find anything along those lines).

If this doesn't exist, can someone give me a hint as to
1) How difficult this would be to implement (trivial, easy, hard, impossible)?
2) Give me an idea of how/where to start. I'd be perfectly willing to try to implement this, dependent on some feedback from people in the know.

Greetings/Thanks
--> R

Robert,

This advice comes with an i've not tried it warning ;). Now i've got that out of the way - there may be a possibility of implementing this without touching PN at all - good eh? (well if it works anyways).

Take a look at the session.use_cookies directive in your php.ini file.

-Mark

Hi Mark,

thanks for your suggestion, but I'm afraid that doesn't do the trick. I've just tried this and unfortunately the cookie is still being set.

Having said this, I grepped around the PN source tree a little and found the following (in pnSessionSetup() (in include/pnSession.php))


I've tried setting session.use_trans_sid=1 and session.use_cookies=0, but the cookie was still being set. Somewhere in this code block, it should be possible to change the behaviour so that no cookie is being set but so far I haven't been able to figure out how.

Any more ideas on how to do this?

Greetings/Thanks
--> R

Robert,

At a glance it looks like changing the code you suggested should do it but you've tried that. The second setting overrrides the php.ini setting that I refered you to (I should have checked).

I did look into turning off the cookies completely for un-registered users browsing the site as some countries are now coming up with daft privacy laws about the setting of cookies etc. I got this to work to some degree in that the site was browsable but I couldn't get the transition from this state to the logged in state with having sessions on to start with.

I've no more ideas at the moment i'm afraid. I'll see if I can find a few minutes to take a further look at this. If I can get this working it would be useful as well as perfomance improvement (only having sessions for signed on users regardless of the use of a cookie or a URL).

I suggest you also continue to dig and let me know if you come up with anything.

-Mark

Robert,

Coming back to you (probably before you've read my first reply). It looks like this setting in the PN sessions code has no effect



Looking at the PHP documentation on sessions and ini_set (http://uk2.php.net/en/ini-set) it appears that use_trans_sid can't be set by user scripts. It can however be set by a .htaccess file.

So adding the following to a .htacccess file in the PN root



then disable cookies via the line in pnSession.php. I've quickly tested this setup (I changed my php.ini rather than a .htaccess fle) and can login and out without a cookie being set.

I should point that there there are potential security issues arising from having the session id passed in the URL but I guess your probably aware of this anyway.

-Mark

I thought that SIDs are automaticly appended to urls if cookies don't work with the client.

--
best regards from Kiel, sailing city

Steffen Voss

Member of the PostNuke Steering Committee
Read The Zikulan's Blog

i always used the other way: hide the SID from the URL with .htaccess files.
said this i guess it's just a PHP config thing since in some of my PN installations SIDs are appended to the URL (even with the ini_set('session.use_trans_sid', 0); in pnSession.php), in otheres everything works as expected.

--
regards from germany
..::[Zikula Application Framework]::.. ..::[SEO-Blog]::.. ..::[CMS Sicherheit]::..

Andreas,

It looks like (from the referenced PHP docs) that the ini_set command in pnSession.php has no effect. According to these docs use_trans_sid can't be set by user scripts. This would seem to be backed up by experience - as you comment that many PN sites have the sid appended anyway. I think we should remove this code if this is the case.

-Mark

agree - guess this has been changed sometime back in the PHP history...
anyway: from my point of view it's not recommended to use the SID as part of the URL - besides security risks with cached session ids there might be problems when trapping search engine spiders on the side (grabbing the same URL with different SIDs over and over again...)

--
regards from germany
..::[Zikula Application Framework]::.. ..::[SEO-Blog]::.. ..::[CMS Sicherheit]::..

Agreed that's why I pointed out the security issues. However Robert had a specific request to achieve this so there it is ;).

-Mark