WML, Sessions and Security

[beingchinmay]

One aspect of WAP devices of which you need to be aware is that many are not able to save cookies locally, as they’re not backed by a spare gigabyte or two of available disk space. This presents a problem for sessions, as you won’t be able to use the cookie mechanism to allow clients to provide their session ID to you.The alternative mechanism PHP provides is to add the session ID as a GET variable, rewriting every URL in your page to add a variable typically named PHPSESSID. This can be invoked by HAW_deck’s enable_session method, but comes at a price; non-relative URLs will not have the session ID added to them for the sake of security.

In cases where you need it, you can add the session ID yourself, like this:

<?php
session_start();
?>
<a href="http://www.sitepoint.com/?<?php echo SID;
?>">SitePoint</a>

Be careful not to add the session ID to external links; this will broadcast it to those linked sites, and can potentially lead to session hijacking.

Overall, as you can see, building a WML-based site is very easy. Yet, you may be wondering whether it’s worth it, given the limited number of people who surf that way. Let me just give you a tip—developers working in this area get paid almost twice what their HTML-based brethren receive. Enough said.