I have to admit that I am a little new to sessions. I am using them in my current script and they are working ok. When a user logs in, $_SESSION['logged_in'] gets registered with the session. When logging out, it is unregistered. Every page has an include in the header which is a library file full of variables and function definitions used throughout the site. In this file, there is a check that looks like this:
mysql_connect($dbhost,$dbuser,$dbpass);
mysql_select_db($dbname);
if($_COOKIE['mypad_sessid']){
$sessid = $_COOKIE['mypad_sessid'];
session_id($sessid);
}
session_start();
if(!$_SESSION['logged_in']){
// user is not logged in
if($PHP_SELF != $loginpath){
// but they are at the login page, so let it load
header("Location: $loginpath");
}
}
So, it looks to see if there is a session cookie, which there is, and then sets that session id as the current sessid and then starts the session. If the afformentioned "logged_in" var is registered with the session, they proceed loading the page. If it is not, then they are directed to the login page (defined in the included file), but if the login page is the one that is being accessed, it lets unauthorized users continue.
Great, right? Well, yes. It all works. 🙂
However, when I am working in the site, I find that sometimes the php session id is being carried through the url in a GET format, but I have not specified it to do that anywhere. And I thought that setting the session id to and from the cookie, this would not happen.
Any ideas what would cause this sessid to be haunting my urls?
Thanks
