Sessions Questions.

bernicusmaximus

Gurus,

Can anyone explain to me the reasons for not using $HTTP_SESSION_VARS/$SESSION when register globals is disabled. Also, it seems that $HTTP_SESSION_VARS/$SESSION is prefferred over the session_register() method for security reasons. Why is this? I understand how sessions should work, but I am failing to understand how they do work with globals and what not. If anyone understands where my confusion lies, and how I may be cured of it, I would appreciate the help.

Thanks a bunch,

Bernie

p.s. I accidently posted this in a thread, so this is a "repost".

[deleted]

"the reasons for not using $HTTP_SESSION_VARS/$_SESSION when register globals is disabled."

The only way to get at session variables when regsiter_globals is disabled is through HTTP_SESSION_VARS and _SESSIONS.

Always using the arrays means you never accidently use other vars than the ones you mean, and so you can never accidently use a POST or GET var which can be hacked.

A forum, a FAQ, email notification, what else do you need?