Hi
On some of my php pages you can see the Session ID in the URL (eg:http://......./jan.php?echo&PHPSESSID=8980824cb3c9d304b3ce0............) and on some of my other pages you can not see the session ID (eg: http://......./jan.php?echo)
1. Why is this happening?
2. Is it a security risk to have the session ID displayed in the URL?
These are added dynamically by PHP because the client doesn't accept session cookies.
Thank you, but isn't it a security risk to have it displayed in the URL? If yes, what can I do about it?
It's not a security risk per se. But you always should guard yourself against session hijacking. The most easy way to do this is to place this code where you have your session_start() command:
session_start();
if(version_compare(‘5.1.0’, phpversion(), ‘>’)) {
session_regenerate_id(TRUE);
} else {
unlink(ini_get(‘session.save_path’).’/sess_’.session_id());
session_regenerate_id();
}This will generate a new session ID for every page visited, effectively making a hijacked session ID useless.