On Wed, Jun 09, 2010 at 09:17:02AM +0100, MJ Ray wrote:
Chris G cl@isbd.net wrote:
On Tue, Jun 08, 2010 at 09:25:03PM +0100, James Bensley wrote:
Probably equally as nasty but another method would be to have a link on page a that is <a href="PageB.php?val1=hello&val2=world">PageB</a>
[...]
I was reading about this method when searching for "alternatives to cookies", it might well be a better way for my particular requirement.
I can't remember how many times something along the lines of the above has been done insecurely. When asked why it was written that way, it's sometimes that they got in the habit on a site with only trusted users, or it's code from a trusted-user site that's been re-used. It's better not to get in that habit, especially when the safer alternative is pretty easy.
Use the PHP session handler, put the stuff in the session and make sure you are either:
- running PHP with the run-time option session.use_trans_sid to put
the session ID into URLs transparently; or
- add the PHP constant SID to links as needed.
PHP probably handles both parameter passing and writing/reading stuff from storage far better than humans. Beware session expiry time, though.
I agree in principle, the trouble is that I can't "get at" the PHP sesion handler because I can't easily insert code that runs before the HTML headers have been parsed.
As it turns out I need to completely rethink what I'm doing anyway because PHP code run 'from the page' (i.e. embedded in the HTML) can't really do what I want.
I'm now thinking that it's almost certainly easier to change the underlying Wiki code to do what I want, even though that means I'll have a patched/modified version of the Wiki.