Hi Red... Actually, I have my site set to only use cookies for storing
session ids to make it more secure and so that session ids aren't passed via
the URL. Only problem with checking for existence of a session using your
method is that you have to first start the session, which is what I'm trying
to avoid. I only want to create a session for a user that I know has already
been authenticated first, which for my site seems to be the existence of the
session cookie.
Monty
> just on a side-note, the session is not always kept in a cookie ( if
> cookies are deactivated the session is saved in the _GET or _POST variables.
>
> A check for $_REQUEST[session_name()] might help you some more but can
> be exploited quite fast
>
> eg: index.php?SID=foo
>
> I guess the best way to solve your problem would be to set a _SESSION
> variable on creation and check for it's presence
>
> if ( isset ( $_SESSION['session_activ'] )
> AND $_SESSION['session_activ'] === TRUE ) {
> // session runnning
> } else {
> // no session running
> }
>
> -- red
>
> [...]
>> Thanks, Aaron, I tried this method and it appears to work just fine. Here's
>> a simplified version of what I'm doing:
>>
>> if (isset($_COOKIE[session_name()])) {
>>
>> session_start();
>>
>> if ($_SESSION['loggedin'] <> 'yea_baby';
>>
>> session_destroy();
>> $_SESSION = array();
>> // Return to log-in page to re-authenticate.
>> header("Location:/login.php");
>> }
>>
> [...]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
