1

I have a problem with an ecommerce system i built for a client, some of the orders are coming up blank. I have added code to check whether sessions are being set and they are not being set on some orders which is why its coming up blank.

The reason I use sessions is to store the order info

eg: $_SESSION['data']=$_POST;

I can only assume the users have cookies disabled in their browsers and would like to know how I can get around this.

What I would like to do is check if cookies are enabled if not send the session id via $_GET, but how do I access $_SESSION['data'] using the session ID?

So my questions are:

How do I check if cookies are enabled and if not send session id via get and how do I access $_SESSION['data'] using the session id?

Nikola K.
  • 7,093
  • 13
  • 31
  • 39
Tommy Arnold
  • 3,339
  • 8
  • 31
  • 40

2 Answers2

2

You'll have to open your session manager manually, using, for example

<?
session_id($_GET['session_id']); 
session_start();
//you can now acccess $_SESSION['data']
131
  • 3,071
  • 31
  • 32
  • And to check if the cookie exists, try the following if(!isset($_COOKIE[session_name()])) session_id($_GET['session_id'); session_start(); – 131 Jul 09 '12 at 11:56
2

You can set session.use_trans_sid in php.ini, which will automatically append session id via GET or POST

It does this by automatically rewriting certain elements, such as href, according to the url_rewriter.tag entry, again in php.ini.

Note that using cookies are usually preferable since storing session ids in the url, can lead to users unintentionally sharing their session id with other people

carpii
  • 1,917
  • 4
  • 20
  • 24
  • Does this look ok? session_cache_expire(1440); session_start(); if(!isset($_SESSION['SESSION_ID'])){ ini_set('session.use_trans_sid', 1); session_id($_GET['session_id']); session_start(); }; – Tommy Arnold Jul 09 '12 at 11:58
  • 1
    You may also need to make sure `session.use_only_cookies` is disabled. And you probably want to change the SID frequently using `session_regenerate_id()` to limit the likelihood of session hijacking. Only passing the SID via POST is another way to protect against hijacking, but this is impractical on most sites. – Lèse majesté Jul 09 '12 at 12:00