Today I learned about session transmission through URL, so I wanted to try it out, so I wrote two pages with the following content:
【index.php】
<code><?php
session_start();
$_SESSION["username"] = "admin";
echo "Session ID: ".session_id()."<br>";
?>
<a href="2.php?<?php echo SID ?>">来不及了,快上车!</a>
</code>【2.php】
<code><?php
session_start();
echo SID;
</code>Open index.php as shown below:
After clicking the link, the page will be redirected as shown in the picture:
My question is: Logically speaking, the session IDs of the two pages should be the same, but why are they different? I am a novice, and I would like to ask a master to help me answer my questions. . .
Today I learned about session transmission through URL, so I wanted to try it out, so I wrote two pages with the following content:
【index.php】
<code><?php
session_start();
$_SESSION["username"] = "admin";
echo "Session ID: ".session_id()."<br>";
?>
<a href="2.php?<?php echo SID ?>">来不及了,快上车!</a>
</code>【2.php】
<code><?php
session_start();
echo SID;
</code>Open index.php as shown below:
After clicking the link, the page will be redirected as shown in the picture:
My question is: Logically speaking, the session IDs of the two pages should be the same, but why are they different? I am a novice, and I would like to ask a master to help me answer my questions. . .
Why should we include session in the URL?
1.This is not safe, assuming you are the administrator, if I grab a packet in the LAN and bring your session_id, then I will be the administrator;
2. Nowadays, cookies are generally used to pass session_id. As long as it is an HttpOnly cookie, you are not afraid of XSS attacks , and Do not use Apache2.2 as the server. There is a 400 bad request vulnerability that can leak HttpOnly cookies. ;
3. If the browser disables cookies, it will not allow login. This can be achieved with JavaScript.
SID is a constant containing the session name and session ID in the format of "name=ID". It returns the same ID as session_id(), but only when the client does not have a session cookie will have a value, otherwise the value of SID is empty string.
If you jump from index.php to 1.php without disabling client cookies, the output SID should be an empty string;
If cookies are disabled and the Session ID in the cookie cannot be obtained from the client, a new session will be generated, and a different SID will be output every time it jumps to 1.php;
php.ini adds the use_only_cookies setting starting from PHP 4.3.0, which specifies whether to only use cookies to store session IDs on the client side. . Enabling this setting prevents attacks involving session IDs being passed through URLs. As of PHP 5.3.0, the default value is changed to 1 (enabled) .
Transfer session ID
Predefined constants
The subject of the question does not have a solid foundation. First of all, the SID variable is not assigned a value. Secondly, the get parameter does not even include key=. Finally, who told you that ordinary variables can be passed across pages? Unless it is a session or application super global variable.
I would like to know where you learned about sessions passing through URLs. I may be able to give you an answer after reading the original article.
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
