$_SESSION vs. session_register

webpoet

Which variant is most secure to use $HTTP_SESSION_VARS[var] or session_register and just $var ? Would really appreciate opinions on this.

TruckStuff

I assume you are referring to creating session vars? Neither is more secure than the other; theoretically they should do the same thing. However, my experience is that session_register doesn't work as well as $_SESSION, e.g. sometimes it just doesn't work, 🙂

webpoet

OK, well, one more thing, using $SESSION_ are you guaranteed that the var actually comes from a session ? such as with session_is_registered ?

TruckStuff

Where else would it come from? $_SESSION is a superglobal reserved word, meaning that no other variables can have that name.

webpoet

cool, any other security issues I should think of ? such as maybe session hijacking ?