|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2000-07-10 21:33 UTC] fseesink at usa dot net
* Using PHP v4.0.1pl2 Win32 binary provided by PHP.NET/Zend.com
[NOTE: It would be helpful to add binary releases to your 'PHP version:' field above, as v4.0.1, v4.0.1pl1, and v4.0.1pl2 are not listed above.]
* Zend Optimizer RC1 also installed
* In PHP.INI, all configured properly: session.save_path, session.save_handler = files, etc.
[Question: PHP.INI file contains "session.cookie_lifetime", but PHP Manual says "session.lifetime". Which is correct? Have put in both to be safe.]
* USING ISAPI module installed as ISAPI filter & AppMapping in IIS4 as described in README.TXT file, new session ids are created on each invocation of a new page, thereby eliminating any chance for session variables to propogate properly. After initial session file properly created, subsequent session files are 0 bytes, indicating no variables stored.
* USING CGI module (PHP.EXE), keep receiving "Warning: open(/tmp/sess_f30188520bcdfb68ecd0baf4236475b7, O_RDWR) failed" errors. Session id do at least stay the same.
* Final notes: with ISAPI module setting cookies appears to work as expected, and reading cookies works also. However, with CGI version, apparently unable to either set cookies or read them back in. Also, IIS' inetinfo.exe crashes about 1/2 the time when attempting to 'net stop iisadmin' with the ISAPI modules installed.
Scripts used to test this:
**********[ Check4SessionId.PHP ]**********
<?
if ( isset($HTTP_COOKIE_VARS["PHPSESSID"]) ) {
echo "Yep, we got a cookie!<br>";
} else {
echo "Nope, no cookie.<br>";
}
?>
**********[ StartSession.PHP ]**********
<?
session_start();
echo "Have started a session.<br>";
?>
**********[ Page1.PHP ]**********
<?
session_start();
if (!$PHPSESSID) {
$userid=100;
$firstaccess=time();
$lastaccess=time();
session_register("userid");
session_register("firstaccess");
session_register("lastaccess");
}
$lastaccess = time();
?>
<HTML>
<HEAD>
<TITLE>Page 1</TITLE>
</HEAD>
<BODY>
This is page 1.<br>
<?
echo "\$PHPSESSID = '$PHPSESSID'<br>";
echo "\$userid = '$userid'<br>";
echo "\$firstaccess = '$firstaccess'<br>";
echo "\$lastaccess = '$lastaccess'<p>";
?>
<A HREF="page2.php">Page 2</A>.<p>
</BODY>
</HTML>
**********[ Page2.PHP ]**********
**********[ Page3.PHP ]**********
**********[ Page4.PHP ]**********
Same as above, only with slight changes so that Page1 links to Page 2, Page2->Page3, Page3->Page4, and Page4->Page1.
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Thu Oct 30 18:00:02 2025 UTC |
Sorry, meant to include this but didn't want to clutter things up since it's so long. But for completeness here ya go, the PHP.INI file, which should put the issue of session.save_path to bed, among other things: ____________________________________________________________ [PHP] ; NOTE: Search for '***' to find modifications ;;;;;;;;;;;;;;;;;;; ; About this file ; ;;;;;;;;;;;;;;;;;;; ; This file controls many aspects of PHP's behavior. In order for PHP to ; read it, it must be named 'php.ini'. PHP looks for it in the current ; working directory, in the path designated by the environment variable ; PHPRC, and in the path that was defined in compile time (in that order). ; Under Windows, the compile-time path is the Windows directory. The ; path in which the php.ini file is looked for can be overriden using ; the -c argument in command line mode. ; ; The syntax of the file is extremely simple. Whitespace and Lines ; beginning with a semicolon are silently ignored (as you probably guessed). ; Section headers (e.g. [Foo]) are also silently ignored, even though ; they might mean something in the future. ; ; Directives are specified using the following syntax: ; directive = value ; Directive names are *case sensitive* - foo=bar is different from FOO=bar. ; ; The value can be a string, a number, a PHP constant (e.g. E_ALL or M_PI), one ; of the INI constants (On, Off, True, False, Yes, No and None) or an expression ; (e.g. E_ALL & ~E_NOTICE), or a quoted string ("foo"). ; ; Expressions in the INI file are limited to bitwise operators and parentheses: ; | bitwise OR ; & bitwise AND ; ~ bitwise NOT ; ; Boolean flags can be turned on using the values 1, On, True or Yes. ; They can be turned off using the values 0, Off, False or No. ; ; An empty string can be denoted by simply not writing anything after the equal ; sign, or by using the None keyword: ; ; foo = ; sets foo to an empty string ; foo = none ; sets foo to an empty string ; foo = "none" ; sets foo to the string 'none' ; ; If you use constants in your value, and these constants belong to a dynamically ; loaded extension (either a PHP extension or a Zend extension), you may only ; use these constants *after* the line that loads the extension. ; ; All the values in the php.ini-dist file correspond to the builtin ; defaults (that is, if no php.ini is used, or if you delete these lines, ; the builtin defaults will be identical). ; To create an 'optimized', PHP 4-style version of the php.ini-dist file, ; we need to create different values for several directives, in order to ; improve performance, while possibly breaking compatibility with the ; standard out-of-the-box behavior of PHP 3. Please make sure you read ; what's different, and modify your scripts accordingly, if you decide to use ; these features instead (which is recommended!) ; ; - allow_call_time_pass_reference = Off ; It's not possible to decide to force a variable to be passed by reference ; when calling a function. The PHP 4 style to do this is by making the ; function require the relevant argument by reference. ; - register_globals = Off ; Global variables are no longer registered for input data (POST, GET, ; cookies, environment and other server variables). Instead of using $foo, ; you must use $HTTP_POST_VARS["foo"], $HTTP_GET_VARS["foo"], ; $HTTP_COOKIE_VARS["foo"], $HTTP_ENV_VARS["foo"] or ; $HTTP_SERVER_VARS["foo"], depending on which kind of input source you're ; expecting 'foo' to come from. ; - register_argc_argv = Off ; Disables registration of the somewhat redundant $argv and $argc global ; variables. ; - magic_quotes_gpc = Off ; Input data is no longer escaped with slashes so that it can be sent into ; SQL databases without further manipulation. Instead, you should use the ; function addslashes() on each input element you wish to send to a ; database. ; - variables_order = "GPCS" ; The environment variables are not hashed into the $HTTP_ENV_VARS[]. To ; access environment variables, you can use getenv() instead. ;;;;;;;;;;;;;;;;;;;; ; Language Options ; ;;;;;;;;;;;;;;;;;;;; engine = On ; Enable the PHP scripting language engine ; under Apache short_open_tag = On ; allow the <? tag. otherwise, only <?php ; and <script> tags are recognized. asp_tags = On ; *** MODIFIED from 'Off' *** ; allow ASP-style <% %> tags precision = 14 ; number of significant digits displayed in ; floating point numbers y2k_compliance = Off ; whether to be year 2000 compliant (will ; cause problems with non y2k compliant ; browsers) output_buffering = Off ; Output buffering allows you to send header ; lines (including cookies) even after you ; send body content, in the price of slowing ; PHP's output layer a bit. ; You can enable output buffering by in ; runtime by calling the output buffering ; functions, or enable output buffering for ; all files by setting this directive to On. implicit_flush = Off ; Implicit flush tells PHP to tell the output ; layer to flush itself automatically after ; every output block. This is equivalent to ; calling the PHP function flush() after each ; and every call to print() or echo() and ; each and every HTML block. ; Turning this option on has serious ; performance implications, and is generally ; recommended for debugging purposes only. allow_call_time_pass_reference = Off ; *** MODIFIED from 'On' *** ; whether to enable the ability to force ; arguments to be passed by reference at ; function-call time. This method is ; deprecated, and is likely to be unsupported ; in future versions of PHP/Zend. The ; encouraged method of specifying which ; arguments should be passed by reference is ; in the function declaration. You're ; encouraged to try and turn this option Off, ; and make sure your scripts work properly ; with it, to ensure they will work with ; future versions of the language (you will ; receive a warning each time you use this ; feature, and the argument will be passed by ; value instead of by reference). ; Safe Mode safe_mode = Off safe_mode_exec_dir = safe_mode_allowed_env_vars = PHP_ ; Setting certain environment variables may ; be a potential security breach. This ; directive contains a comma-delimited list ; of prefixes. In Safe Mode, the user may ; only alter environment variables whose ; names begin with the prefixes supplied ; here. ; By default, users will only be able ; to set environment variables that begin ; with PHP_ (e.g. PHP_FOO=BAR). ; Note: If this directive is empty, PHP ; will let the user modify ANY environment ; variable! safe_mode_protected_env_vars = LD_LIBRARY_PATH ; This directive contains a comma-delimited ; list of environment variables, that the end ; user won't be able to change using ; putenv(). These variables will be ; protected even if ; safe_mode_allowed_env_vars is set to allow ; to change them. ; Colors for Syntax Highlighting mode. Anything that's acceptable in ; <font color=???> would work. highlight.string = #DD0000 highlight.comment = #FF8000 highlight.keyword = #007700 highlight.bg = #FFFFFF highlight.default = #0000BB highlight.html = #000000 ; Misc expose_php = On ; Decides whether PHP may expose the fact ; that it is installed on the server (e.g., ; by adding its signature to the Web server ; header). ; It is no security threat in any way, but it ; makes it possible to determine whether you ; use PHP on your server or not. ;;;;;;;;;;;;;;;;;;; ; Resource Limits ; ;;;;;;;;;;;;;;;;;;; max_execution_time = 30 ; Maximum execution time of each script, in ; seconds (UNIX only) memory_limit = 8388608 ; Maximum amount of memory a script may ; consume (8MB) ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ; Error handling and logging ; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ; error_reporting is a bit-field. Or each number up to get desired error ; reporting level ; E_ALL - All errors and warnings ; E_ERROR - fatal run-time errors ; E_WARNING - run-time warnings (non fatal errors) ; E_PARSE - compile-time parse errors ; E_NOTICE - run-time notices (these are warnings which ; often result from a bug in your code, but ; it's possible that it was intentional ; (e.g., using an uninitialized variable and ; relying on the fact it's automatically ; initialized to an empty string) ; E_CORE_ERROR - fatal errors that occur during PHP's ; initial startup ; E_CORE_WARNING - warnings (non fatal errors) that occur ; during PHP's initial startup ; E_COMPILE_ERROR - fatal compile-time errors ; E_COMPILE_WARNING - compile-time warnings (non fatal errors) ; E_USER_ERROR - user-generated error message ; E_USER_WARNING - user-generated warning message ; E_USER_NOTICE - user-generated notice message ; Examples: ; error_reporting = E_ALL & ~E_NOTICE ; ; show all errors, except for notices ; error_reporting = E_COMPILE_ERROR|E_ERROR|E_CORE_ERROR ; ; show only errors error_reporting = E_ALL & ~E_NOTICE ; Show all errors except for notices display_errors = On ; Print out errors (as a part of the HTML ; script) log_errors = Off ; Log errors into a log file (server-specific ; log, stderr, or error_log (below)) track_errors = Off ; Store the last error/warning message in ; $php_errormsg (boolean) ;error_prepend_string = "<font color=ff0000>" ; string to output before an error message ;error_append_string = "</font>" ; string to output after an error message ;error_log = filename ; log errors to specified file ;error_log = syslog ; log errors to syslog (Event Log on NT, not ; valid in Windows 95) warn_plus_overloading = Off ; warn if the + operator is used with strings ;;;;;;;;;;;;;;;;; ; Data Handling ; ;;;;;;;;;;;;;;;;; variables_order = "GPCS" ; *** MODIFIED from "EGPCS" *** ; This directive describes the order in which ; PHP registers GET, POST, Cookie, ; Environment and Built-in variables (G, P, ; C, E & S respectively, often referred to as ; EGPCS or GPC). ; Registration is done from left to right, ; newer values override older values. register_globals = On ; *** MODIFIED from 'On' *** ; Whether or not to register the EGPCS ; variables as global variables. You may ; want to turn this off if you don't want to ; clutter your scripts' global scope with ; user data. This makes most sense when ; coupled with track_vars - in which case ; you can access all of the GPC variables ; through the $HTTP_*_VARS[], variables. register_argc_argv = Off ; *** MODIFIED from 'On' *** ; This directive tells PHP whether to declare ; the argv&argc variables (that would contain ; the GET information). If you don't use ; these variables, you should turn it off for ; increased performance track_vars = On ; enable the $HTTP_*_VARS[] arrays, where * ; is one of ENV, POST, GET, COOKIE or SERVER. gpc_order = "GPC" ; This directive is deprecated. Use ; variables_order instead. ; Magic quotes magic_quotes_gpc = On ; magic quotes for incoming GET/POST/Cookie ; data magic_quotes_runtime = On ; *** MODIFIED from 'Off' ; magic quotes for runtime-generated data, ; e.g. data from SQL, from exec(), etc. magic_quotes_sybase = Off ; Use Sybase-style magic quotes (escape ' ; with '' instead of \') ; automatically add files before or after any PHP document auto_prepend_file = auto_append_file = ; As of 4.0b4, PHP always outputs a character encoding by default in ; the Content-type: header. To disable sending of the charset, simply ; set it to be empty. ; PHP's built-in default is text/html default_mimetype = "text/html" ;default_charset = "iso-8859-1" ;;;;;;;;;;;;;;;;;;;;;;;;; ; Paths and Directories ; ;;;;;;;;;;;;;;;;;;;;;;;;; include_path = ; UNIX: "/path1:/path2" ; Windows: "\path1;\path2" doc_root = "E:\InetPub\wwwroot" ; *** MODIFIED *** ; the root of the php pages, used only if ; nonempty ;open_basedir = "E:\InetPub\wwwroot" user_dir = ; the directory under which php opens the ; script using /~username, used only if ; nonempty ;upload_tmp_dir = ; temporary directory for HTTP uploaded ; files (will use system default if not ; specified) upload_max_filesize = 2097152 ; 2 Meg default limit on file uploads extension_dir = "E:\InetPub\PHP" ; *** MODIFIED from './' *** ; directory in which the loadable extensions ; (modules) reside ;;;;;;;;;;;;;;;;;;;;;; ; Dynamic Extensions ; ;;;;;;;;;;;;;;;;;;;;;; ; if you wish to have an extension loaded automaticly, use the ; following syntax: extension=modulename.extension ; for example, on windows, ; extension=msql.dll ; or under UNIX, ; extension=msql.so ; Note that it should be the name of the module only, no directory information ; needs to go here. Specify the location of the extension with the ; extension_dir directive above. ;Windows Extensions ;extension = php_mysql.dll ;extension = php_nsmail.dll extension = php_calendar.dll ;extension = php_dbase.dll ;extension = php_filepro.dll ;extension = php_gd.dll ;extension = php_dbm.dll ;extension = php_mssql.dll ;extension = php_zlib.dll ;extension = php_imap4r2.dll ;extension = php_ldap.dll ;extension = php_crypt.dll ;extension = php_msql2.dll ;extension = php_odbc.dll ;;;;;;;;;;;;;;;;;;; ; Module Settings ; ;;;;;;;;;;;;;;;;;;; [Syslog] define_syslog_variables = Off ; Whether or not to define the various syslog ; variables, e.g. $LOG_PID, $LOG_CRON, etc. ; Turning it off is a good idea performance- ; wise. In runtime, you can define these ; variables by calling ; define_syslog_variables() [mail function] SMTP = smtp.wvnet.edu ; *** MODIFIED from 'localhost' *** ; for win32 only sendmail_from = fseesink@usa.net ; *** MODIFIED from 'me@localhost.com' *** ; for win32 only ;sendmail_path = ;for unix only, may supply arguments as well ; (default is sendmail -t) [Debugger] debugger.host = localhost debugger.port = 7869 debugger.enabled = False [Logging] ; These configuration directives are used by the example logging mechanism. ; See examples/README.logging for more explanation. ;logging.method = db ;logging.directory = /path/to/log/directory [SQL] sql.safe_mode = Off [ODBC] ;uodbc.default_db = Not yet implemented ;uodbc.default_user = Not yet implemented ;uodbc.default_pw = Not yet implemented uodbc.allow_persistent = On ; allow or prevent persistent links uodbc.check_persistent = On ; check that a connection is still ; validbefore reuse uodbc.max_persistent = -1 ; maximum number of persistent links. -1 ; means no limit uodbc.max_links = -1 ; maximum number of links (persistent+non ; persistent). -1 means no limit uodbc.defaultlrl = 4096 ; Handling of LONG fields. Returns number of ; bytes to variables, 0 means passthru uodbc.defaultbinmode = 1 ; Handling of binary data. 0 means passthru, ; 1 return as is, 2 convert to char ; See the documentation on odbc_binmode and odbc_longreadlen for an explanation ; of uodbc.defaultlrl and uodbc.defaultbinmode [MySQL] mysql.allow_persistent = On ; allow or prevent persistent link mysql.max_persistent = -1 ; maximum number of persistent links. -1 ; means no limit mysql.max_links = -1 ; maximum number of links (persistent+non ; persistent). -1 means no limit mysql.default_port = ; default port number for mysql_connect(). ; If unset, mysql_connect() will use the ; $MYSQL_TCP_PORT, or the mysql-tcp entry in ; /etc/services, or the compile-time defined ; MYSQL_PORT (in that order). Win32 will ; only look at MYSQL_PORT. mysql.default_host = ; default host for mysql_connect() (doesn't ; apply in safe mode) mysql.default_user = ; default user for mysql_connect() (doesn't ; apply in safe mode) mysql.default_password = ; default password for mysql_connect() ; (doesn't apply in safe mode) ; Note that this is generally a *bad* idea to ; store passwords in this file. *Any* user ; with PHP access can run ; 'echo cfg_get_var("mysql.default_password")' ; and reveal that password! And of course, ; any users with read access to this file ; will be able to reveal the password as well. [mSQL] msql.allow_persistent = On ; allow or prevent persistent link msql.max_persistent = -1 ; maximum number of persistent links. -1 ; means no limit msql.max_links = -1 ; maximum number of links (persistent+non ; persistent). -1 means no limit [PostgresSQL] pgsql.allow_persistent = On ; allow or prevent persistent link pgsql.max_persistent = -1 ; maximum number of persistent links. -1 ; means no limit pgsql.max_links = -1 ; maximum number of links (persistent+non ; persistent). -1 means no limit [Sybase] ;*** REMOVED SO SESSION INFO WOULD FIT [Sybase-CT] ;*** REMOVED SO SESSION INFO WOULD FIT [bcmath] bcmath.scale = 0 ; number of decimal digits for all bcmath ; functions [browscap] browscap = D:\WINNT\System32\inetsrv\browscap.ini [Informix] ;*** REMOVED SO SESSION INFO WOULD FIT [Session] session.save_handler = files ; handler used to store/retrieve data session.save_path = E:\InetPub\sessions ; *** MODIFIED from '/tmp' *** ; argument passed to save_handler ; in the case of files, this is the ; path where data files are stored session.use_cookies = 1 ; whether to use cookies session.name = PHPSESSID ; name of the session ; is used as cookie name session.auto_start = 0 ; initialize session on request startup session.lifetime = 0 ; In docs but not in PHP.INI session.cookie_lifetime = 0 ; lifetime in seconds of cookie ; or if 0, until browser is restarted session.cookie_path = / ; the path the cookie is valid for session.cookie_domain = ; the domain the cookie is valid for session.serialize_handler = php ; handler used to serialize data ; php is the standard serializer of PHP session.gc_probability = 1 ; percentual probability that the ; 'garbage collection' process is started ; on every session initialization session.gc_maxlifetime = 1440 ; after this number of seconds, stored ; data will be seen as 'garbage' and ; cleaned up by the gc process session.referer_check = 1 ; *** MODIFIED from blank *** ; check HTTP Referer to invalidate ; externally stored URLs containing ids session.entropy_length = 0 ; how many bytes to read from the file session.entropy_file = ; specified here to create the session id ; session.entropy_length = 16 ; session.entropy_file = /dev/urandom session.cache_limiter = nocache ; set to {nocache,private,public} to ; determine HTTP caching aspects session.cache_expire = 180 ; document expires after n minutes [MSSQL] ;extension = php_mssql.dll mssql.allow_persistent = On ; allow or prevent persistent link mssql.max_persistent = -1 ; maximum number of persistent links. -1 ; means no limit mssql.max_links = -1 ; maximum number of links (persistent+non ; persistent). -1 means no limit mssql.min_error_severity = 10 ; minimum error severity to display mssql.min_message_severity = 10 ; minimum message severity to display mssql.compatability_mode = Off ; compatability mode with old versions of ; PHP 3.0. [Assertion] ;assert.active = On ; assert(expr); active by default ;assert.warning = On ; issue a PHP warning for each failed ; assertion. ;assert.bail = Off ; don't bail out by default. ;assert.callback = 0 ; user-function to be called if an assertion ; fails. ;assert.quiet_eval = 0 ; eval the expression with current ; error_reporting(). set to true if you want ; error_reporting(0) around the eval(). ;*********************************************************** ; Zend Optimizing compiler added in (Beta 4) ;*********************************************************** zend_optimizer.optimization_level=15 zend_extension_ts="D:\Program Files\Zend\lib\ZendOptimizer.dll" ; Local Variables: ; tab-width: 4 ; End: ____________________________________________________________More debug info regarding PHP v4.0.1pl2. I have now tested the errors I have encountered on two different PCs, both running Windows NT Server 4 SP5 with IIS4. The configs as far as file locations are slightly different: PC#1 (both D: & E: are NTFS) ---- D:\WINNT - drive system installed on E:\InetPub\wwwroot - root of website E:\InetPub\wwwroot\php - where PHP scripts located E:\InetPub\wwwroot\php\sessions - where Page1.PHP, Page2.PHP, etc. located E:\InetPub\sessions - directory where PHP.INI pointed to store session ID files PC#2 (D: is NTFS) ---- D:\WINNT - drive system installed on D:\InetPub\wwwroot - root of website D:\InetPub\wwwroot\php - where PHP scripts located D:\InetPub\wwwroot\php\sessions - where Page1.PHP, Page2.PHP, etc. located D:\InetPub\sessions - directory where PHP.INI pointed to store session ID files Interestingly enough, on PC#2 the CGI error of "Warning: open(/tmp/sess_f30188520bcdfb68ecd0baf4236475b7, O_RDWR) failed" did not occur. HOWEVER, one consistent error that I have been able to reproduce on BOTH PCs and that cause the same sequence of errors while using the ISAPI module is the following: 1. Fire up a new browser (to make sure no PHPSESSIDs are set). 2. Load Page1.PHP. The output of this page does not show a PHPSESSID value as it has been setup but not yet transmitted to the client as a cookie. Checking .\sessions directory shows a sessionid file has indeed been created and variable values stored. 3. Click on the Page 2 link to load Page2.PHP. Now the sessionid created by Page1 is shown and all seems right with the world. Checking .\sessions shows that indeed just one sessionid file exists and $lastaccess updated properly in file. 4. Click on the Page 3 link to load Page3.PHP. Now the madness begins. No longer showing values for $userid or $firstaccess, the page still shows the initial sessionid. HOWEVER, looking in .\sessions shows that a NEW sessionid file has been created (0 bytes). $lastaccess is updated on the page but not in the sessionid file. 5. Clicking on Page 4 link to load Page4.PHP, we now find the session id shown is that of the 2nd sessionid file created. $userid & $firstaccess remain empty, $lastaccess is updated on page but not in a session file, and in .\sessions we find yet ANOTHER session id file (0 bytes). 6. Clicking on Page 1 link to return us to Page1.PHP, we now see the session id of the file created when loading Page 4, $userid & $firstaccess remain empty, and yet another session id file is created (0 bytes) in .\sessions. 7. Clicking on Page 2 link to load Page2.PHP a second time, interesting thing happens. Just as the first time around, Page2.PHP now shows the sessionid of the file created when loading Page1.PHP (this is the second sessionid created by Page1.PHP, mind you, not the original). $userid & $firstaccess remain empty, but NO NEW SESSION FILE CREATED! 8. Clicking on Page 3 link to load Page3.PHP, we now see the same session ID that we just saw on Page2.PHP, $userid & $firstaccess will remain forever empty, and now once again a new session file (0 bytes) is created in .\sessions. This pattern repeats itself over and over again. All the pages except Page2.PHP cause new session id files to be created through each iteration of the loop. Go figure. I hope this helps the PHP engine coders out there. Between this and the various issues I have encountered trying to work with setting cookies & headers, I so far am finding PHP4 to be less than usable. I've had nothing but frustration attempting to do setcookie(), header() and session_start() in the same file...and no, there's no other output prior to these calls. The errors do not involve the "header has already been sent" message.. In many cases the cookies simply refuse to be set at all. Newbies will get quickly frustrated, thinking they do not understand when in fact it is the engine that is failing them. At least on the IIS side of life. Yeah yeah, I know, I should use Apache, etc., but right now it's what I'm stuck with. But being open source and grammatically well-designed, PHP is the only scripting language I will use.