AmigaKit down?

[motorollin]

Yes.

[motorollin]

Bananas for you Amigakit:

:banana: :banana: :banana: :banana: :banana:

[motorollin]

uk.amigakit.com and amigakit.co.uk both working fine here on Safari and Firefox.

[motorollin]

Maybe the session ID (which seems to be passed within the URL) happens to sometimes go above the limit on the number of characters the web server will accept as a valid URL.

[motorollin]

Looks like whatever redirects to GBP.php is appending the session ID loads of times instead of just once. If you edit the URL to just http://amigakit.leamancomputing.com/catalog/GBP.php?lcsid=xxxxxxxxxxxxxxxxxxxxxxxxxxx then does it work?

Edit - edit your post to remove the session ID. I just got in to your account!
Edit - it's ok, I just did you a favour and logged you off so the session ID is no longer valid.

[motorollin]

amigakit wrote:
in interests of security, please edit the session IDs out of this thread ASAP!  Thanks.

Ok, done. Though it shouldn't matter now since I logged the session out.

[motorollin]

tonyyeb wrote:
Why is the session URL sensitive? I've seen people post links with the session ID in, are people putting personal data at risk?

The session ID is used to identify which user is logged on. When I clicked the link with your session I was able to access the site as if I were logged on as you, meaning I could access your account. That's why it is not secure to post a link with a session ID.

[motorollin]

weirdami wrote:
I'd say perhaps that in the further interest of security that those session ID things be not used. If that's impossible, maybe do like how there is a generic URL that loads things from a session ID accessible page.

The session ID can be stored in a cookie and passed to the web server, or passed between pages by storing it in $_SESSION. Either of these would be preferable to passing the session ID in the URL.

[motorollin]

LoadWB wrote:
The PHPSESSION value stored in a Cookie or POST identifies the session to a new page in order to populate the $_SESSION super-global.  So you can't store the session ID in a $_SESSION variable and expect it to work.

I'll have to take your word for that. I could never get sessions working properly using $_SESSION so I don't think I understood it properly. I ended up storing the user's variables in a database table and recovering them using the session ID stored in the cookie :-?

[motorollin]

LoadWB wrote:
It's actually easier than it seems.  Before you send any output to the browser, issue a start_session() then you can begin populating $_SESSION variables.  On the next page, issue a start_session() again and you can use the variables.  When you're done, issue a session_destroy() and that's it.

So how does the web server know which session to issue to the browser on subsequent calls to start_session()? Is there a predefined variable which you set to the session ID for start_session() to pass back?