Chris G cl@isbd.net wrote:
On Tue, Jun 08, 2010 at 09:25:03PM +0100, James Bensley wrote:
Probably equally as nasty but another method would be to have a link on page a that is <a href="PageB.php?val1=hello&val2=world">PageB</a>
[...]
I was reading about this method when searching for "alternatives to cookies", it might well be a better way for my particular requirement.
I can't remember how many times something along the lines of the above has been done insecurely. When asked why it was written that way, it's sometimes that they got in the habit on a site with only trusted users, or it's code from a trusted-user site that's been re-used. It's better not to get in that habit, especially when the safer alternative is pretty easy.
Use the PHP session handler, put the stuff in the session and make sure you are either:
1. running PHP with the run-time option session.use_trans_sid to put the session ID into URLs transparently; or
2. add the PHP constant SID to links as needed.
PHP probably handles both parameter passing and writing/reading stuff from storage far better than humans. Beware session expiry time, though.
See Also: http://uk.php.net/manual/en/session.idpassing.php
Hope that helps,