Monty wrote:
Hi Red... Actually, I have my site set to only use cookies for storing session ids to make it more secure and so that session ids aren't passed via
why is this more secure? the cookies go over the same wire as the post/get.
with regard to security have a look at: http://nl.php.net/manual/en/function.session-regenerate-id.php
I have personally thought about binding the IP addr of the initial request to the session but I don't no if this a good idea (also IP spoofing gets round that.)
the URL. Only problem with checking for existence of a session using your
I doesn't sound like its a problem of the session existence (which does not define state) but of state (which the session stores) and this is something you define. every user who visits your site and hits more than one page instrinscally has (could have) a session, by default:
$_SESSION[ 'LOGGED_IN' ] = false;
and its set to true if a user successfully completes a login procedure (and presumably remains so until the session is destroy for whatever reason.)
method is that you have to first start the session, which is what I'm trying to avoid. I only want to create a session for a user that I know has already been authenticated first, which for my site seems to be the existence of the session cookie.
to verify whether a session has been previously created for the browser, may be something like this:
session_start(); if(! isset($_SESSION[ 'HIT_COUNT' ]) ) { $_SESSION[ 'HIT_COUNT' ] = 1; } else { $_SESSION[ 'HIT_COUNT' ]++; }
if ($_SESSION[ 'HIT_COUNT' ] == 1) { echo 'hi new person! welcome to xyz.com'; }
which is just a variation of what what written below:
Monty
just on a side-note, the session is not always kept in a cookie ( if cookies are deactivated the session is saved in the _GET or _POST variables.
A check for $_REQUEST[session_name()] might help you some more but can be exploited quite fast
eg: index.php?SID=foo
I guess the best way to solve your problem would be to set a _SESSION variable on creation and check for it's presence
if ( isset ( $_SESSION['session_activ'] ) AND $_SESSION['session_activ'] === TRUE ) { // session runnning } else { // no session running }
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php