It was interesting to know that vBulletin2.0 can work without cookies for session management. It appends a session id in the URL itself!

Now call me dumb or naive, but could you please explain how this is done?

I would like to make a sample site (on local Windows 98 PC offcourse;) ) where cookies are not used for session management.

The Professional PHP Worx book talks of session and uses a Shopping cart example but its not very clear.

If the developers of vBulletin dont mind, could they please shower a few pearls of their wisdom and knowledge on this PHP newbie? :)

I forgot to mention that if vBUlletin does share their technique, rest assured that this is for self-learning only. I dont think I can come up with a product liek vBUlletin :D

I just want to learn from the gurus on this board :cool:

Generate a unique sessionid for each user depending on their useragent and ip (md5 (http://www.php.net/manual/function.md5.php))
Keep a sessiontable with a unique id based on the previous generated sessionid and all the other information you wanna store
Append this sessionhash after every hyperlink in your code so you can pull out the information identified by this sessionhash after every request

Thanks for the advise. It was a starting point. Basically I would not like to use the server's session variables (like in ASP) so as to avoid taxing the server too much when many concurrent users are online.

Also, how to design the logout scheme?

Any code samples would help :D

Thanks in advance.

basic, you come up with something to generate the 'sessionhash', ie md5(localtime());
then you INSERT it into a database table called 'session'
then pass that variable to every page

if a page is called with a sessionhash, you load the information from the session table in the database.

vBulletin's session scheme has a few more checks to assure you're the session's owner, I.E. IP address, user agent, etc.

As per the documentation and some books/tutorials, there is a possibility to use mod_rewrite of Apache or use the trans_sid of PHP4.0

Please suggest if these are better schemes?

Also, does the vBUlletin 2.0 now use only Session Hash and database for session management or also cookies along with the session hash for sessions?

Thanks,

Sunit

I have been reading the PHP code of vBulletin2.0 and I found it to be quite advanced where session management is concerned. All the facilites like user being able to choose sessionhash or cookies, etc. is really good.

Now, since I am learning PHP, I am designing a test site on my PC. I just need to make a simpler version of session management with the sessionhash and cookies.

I know there are many ready made soultions and libraries, but then there is no fun in learning the intricate details. So please help me as you have always helped before.

Scenario:
My test site will allow a user to browse the site as a logged in user or as a guest.
I dont need ability to recognise and automatically log in user if user returns to site again
In case user is logged in he can see all items oin a page else cannot see all items (this is simple and I can handle this I think)


I know this may sound trivial to you PHP gurus, but please tell me if the following logic is good enough:
User logs in
Check against dB if valid user
Set a cookies - with unique sessionhash & username/userid
On each page that user visits compare sessionhash from cookie with sessionhash in URL
User logs out - my code will clear sessionhash and other cookies
User now comes as guest - site code checks for sessionhash cookie.
Cookie not present
User is now treated as guest


Should I create sessionhash cookies which will just last for the session or should I set expire limit as one year or more?

Any help and advice is really appreciated.

Thank you,

Sunit
http://www.eCharcha.Com/

Awaiting some more inputs...???:(