Thanks, Aaron, I tried this method and it appears to work just fine. Here's
a simplified version of what I'm doing:
if (isset($_COOKIE[session_name()])) {
session_start();
if ($_SESSION['loggedin'] <> 'yea_baby';
session_destroy();
$_SESSION = array();
// Return to log-in page to re-authenticate.
header("Location:/login.php");
}
So, this allows me to check to see if a session exists without having to
first start the session. If the cookie is found, then the session is started
and verified by checking a value. If the session value isn't there, then I
destroy the session, clear out the $_SESSION vars and send back to log-in
pgae. This only works if you are restricting passing sessions IDs via a
cookie, which I am doing to make my sessions a bit more secure.
Monty
> From: [EMAIL PROTECTED] (Aaron Christopher Vonderhaar)
> Newsgroups: php.general
> Date: Mon, 05 Apr 2004 00:43:52 -0400
> To: [EMAIL PROTECTED]
> Subject: Re: session_exist() ?? Can this be done?
>
> I've been doing exactly that, it works great. I use,
>
> $sessid = $_COOKIE[PHPSESSID];
>
> if ( isset($sessid) ) {
> session_start();
> }
>
> I use 'if( isset($sessid) )' in the rest of the code if there are things
> that should only be done if there is a session. Only my login
> authentication page starts the session if there isn't a cookie. Of course,
> for security you ought to verify the session after starting it, and unset
> $sessid (and destroy_session() ) if something screwy is going on.
>
> The reason I set things up like this is so that users are not bothered with
> cookies unless they need to be. I use cookies for the administration side
> of the site, but casual users don't need a session, so why should they have
> a cookie? -- I'm a not a proponent of passing around useless data :).
>
> Aaron VonderHaar
> ([EMAIL PROTECTED])
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
