Sep 16, 2012, 9:01 AM
Post #6 of 8
Yes, there are people out there that will try to steal your identity, especially if you (the programmer) do something dumb like putting the SID in the query string.
Re: [malmklang] Regenerating sessionid and cookie troubles
[In reply to]
Regenerating the SID (via the new() method) at each and every point is just as dumb and just goes to show that even wikipedia can give bad advise.
The login page is, in most cases, the only place where you explicitly generate the SID via the new() method. All other places uses the module's load() method. After the object has been created, you then apply your checks (is it expired, is it empty, is it coming from the same host, etc). If any one of the checks fails, then delete and flush the session and redirect to the login page.
Normally, the only session info sent to the client is the session ID, however, you can add other info. For example, you could add an item that stores the PID of the script and then when they return confirm that it's still there and matches what is stored on the server. If that fails, then redirect them to the login page.