Elliot J. Balanza wrote:
Ok, I know that session_destroy wont delete all my session data, but just
delete the variables with it... but for instance the session_id() will be
the same.
So my question is how can i make it so that let's say one people enter my
site, and then decides to leave... but doesn't closes the browser window,
then come back right in and wants to do other functions in the site but with
a different session_id()?
Why do they need a different session id? It shouldn't matter whether
they come back with the same session ID or not, as the session will be
empty (you should clear it when they log out... no real need to
destroy it).
That being said, it is a good idea to set the session ID from within
your program after a successful login to prevent Session Fixation
Attacks. This is where a malicious user will include a link to your site
with the session_name in the URL. If you then start a session, PHP will
use the value passed in the URL. Now, instead of the session ID being a
one-in-two-million ID, they've fixed what it should be. It's now easy
for them to hijack the session and pretend to be the other person (a
little work involved in that, but you get the idea, I hope).
--
---John Holmes...
Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/
php|architect: The Magazine for PHP Professionals www.phparch.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php