Session help please!

Anon

I am passing a session id along the url. If a person actually changes the id to '1', or something else, the session variables will still be present (even though I check to see if they are registered). Is there a way to make sure the session_id is valid?

I am using
if($HTTP_GET_VARS["id"])
{
session_id($HTTP_GET_VARS["id"]);
}
session_start();
if($HTTP_GET_VARS["id"])
{
if(!session_is_registered("username") | !session_is_registered("password"))
{
show_error("An error occured in the process, please login again");
}
}

But, if I change the ID in the url, the variables are still registered somehow.
Any ideas?

Anon

Sessions, by default, are stored in a cookie. That is the first place session_start() looks. Check your php.ini for the session settings for php, defaults to the session name (or actual cookie name) to PHPSESSID and use cookies to 1 .. adjust as necessary...

Hope that helps

Chris King

Anon

Thanks.
If aI cannot access PHP.ini, is there a way to delete the cookie each time, before
$id = session_id(); is given?

Anon

I don't think that it's anything you should worry about, anyway. All the functions of the session handling in php are supposed to work transparently, so just let it do it's job. I don't think this is anything you need to worry about.

Chris King

Anon

If you don't have access to the php.ini file but need to change one of its values temporarily (for the scope of the one script instance), use ini_alter() or ini_set() (I think they're identical - check the manual).

-Keegan