Parpalak wrote:I wonder how forum can functioning at all with cookies disabled. A user can't login if cookies are disabled.
Why should a user want to login? All my users are guests. Forum registration is disabled and it is not needed because the guests have all necessary rights. For example in my bug-report-forum they are allowed to post topics which I try to answer. However, guests are required to solve a captcha on every post.
I know that many users consider the register procedure as a burden, especially if email is required, some won't even try to post. I hope my answer gives you new insights in the usage of your software, but I wonder that you did not consider it could be used that way.
Parpalak wrote:What kind of professional help do you heed?
What I was trying to do is to provide an alternate way of captcha verification, a way without using cookies, using an URL parameter to transmit the session-ID (in order to recreate the session variable after submit). I know there are general security concerns regarding URL-session-ID's but in this case it does not apply since it is used for guest status only.
I changed PHP INI to support trans_sid. Recreating a session variable after being submitted from another PHP file worked fine in my test environment. However, there were problems using the same procedure in PunBB/pun_antispam.
For a first test I modified form-action in post.php to:
action="<?php echo 'post.php?fid=3' ?>&<?php echo strip_tags(SID); ?>"
... to use a relative path (needed for URL-SID) and to add the SID as parameter (in forms PHP does not add it automatically).
In the the po_end_validation hook (manifest.xml of pun_antispam) the session variable $_SESSION['pun_antispam_text'] should have been recreated directly after the session_start() instruction.
This unfortunately did not happen (SID was transferred successfully via URL), it was still empty, although the same procedure worked properly in my test with two simple PHP files. Any help appreciated.
