Hi, is there any way to know if a site visitor has an existing session
without having to first start the session using session_start()?
I'm trying to avoid starting a valid session unless the visitor has been
authenticated and logged in, so, here's what I do now at the top of every
page:
session_start()
if (!$_SESSION['loggedin']) {
session_destroy();
header("Location:/login.php"); // Send to Log-In page.
}
Is this the most efficient way to do this? I'd prefer to not have to start
then immediately destroy the session if it's possible to first know whether
a session exists without starting it.
I have my site set to store the PHPSESSID in a cookie only (not passed via URL), so, would checking for the existence of $_COOKIE['PHPSESSID'] be a reliable way of doing this?
I've been doing exactly that, it works great. I use,
$sessid = $_COOKIE[PHPSESSID];
if ( isset($sessid) ) {
session_start();
}
I use 'if( isset($sessid) )' in the rest of the code if there are things that should only be done if there is a session. Only my login authentication page starts the session if there isn't a cookie. Of course, for security you ought to verify the session after starting it, and unset $sessid (and destroy_session() ) if something screwy is going on.
The reason I set things up like this is so that users are not bothered with cookies unless they need to be. I use cookies for the administration side of the site, but casual users don't need a session, so why should they have a cookie? -- I'm a not a proponent of passing around useless data :).
Any other suggestions are appreciated!
Monty
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Aaron VonderHaar
([EMAIL PROTECTED])
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
