Session ID URL propagation - which method?

Anon

I'm using PHP4 to do my session tracking with cookies turned off completely (use_cookies = 0 in php.ini). So my tracking of the session ID must be done completely through URL propagation.

I've run into an interesting feature(glitch?): there are basically two methods to propagate the SID through URLs as far as I can tell. The first is mentioned in the PHP documentation and that is to use SID as such:

The second would be to reference the PHPSESSID directly:

It seems that using the first method sometimes causes a new session ID to be generated? This doesn't happen always, but definately has happened in certain cases (this is previous to storing anything in my pre-registered session variables). Does anybody have any clue why it would do this?

I'm using method two for now just because I know I can trust it. But I am curious as to why the first method would be serving me up a new SID in some cases and not others... any thoughts?

Anon

Bah! Nevermind... was something else that was giving me the new session ID.

Interesting note: PHP seems to have some built-in security features that prevent you from manually setting the SID in your code. I was passing the SID as a hidden form variable with a name other than PHPSESSID and then setting PHPSESSID to equal the contents of that variable. Attempting to do this seemed to cause PHP to throw that session out entirely and start up a new one. Useful little security feature once you know about it ;⁾