I know there's probably a simple cause for this, but rather than spend the whole day trying to figure it out (I've already been on this for a couple of hours), I thought I'd employ the magic of the PHP Builder forums 😃
I have enabled trans_sid in php.ini, use_cookies is on as well, use_only_cookies is off. I turned off cookies in my browser, restarted apache (MOX Panther) and my session id's are not being passed in the url. The script is creating a new session on each page view.
What I want to do is put together an identity check for my session id's to minimize the possiblity that the session id has been hijacked. My application.php file (called on each page) has the following:
session_start();
if(session_secure() == false){
//freak out
}
function session_secure(){
global $USER;
$session = session_id();
$query = db_query("select ip from sessions where session_id = '$session'");
if(db_num_rows($query)>0){
$result = db_fetch_object($query);
return $result->ip == $USER->ip ? true : false;
}else{
$insert = db_query("insert into sessions (session_id, ip) values ('$session', '$USER->ip')");
return true;
}
}
a) do the sessions experts reckon this could cut down hijacked sessions?
b) why are my dang session id's not being appended to the url?
Mucho Gracias.
