Quote:
|
Originally Posted by sde
i don't get it, .. why do you even use the session id in the url? session_id() returns the current session id. take this code for example, it will only start a session if a session_id does not exist:
PHP Code:
<?
if( !session_id() ){
session_start();
}
?>
it seems like if you just went by session_id() instead of the url session id, it would be fine. am i missing something? |
One "maybe" correction: I thought you had to call session_start() first. Even if a session has already been started on a prior page. My understanding (and that's very limited on this area of PHP) is that a cookie is used to store PHPSESSIONID on the client or is that optional?
Anyway, I came across this PHP Security article recently:
PHP Session Security
Ways to prevent session hijacking (intentional or accidental) is covered.