PHP Session ID

wilna

Hi
On some of my php pages you can see the Session ID in the URL (eg:http://......./jan.php?echo&PHPSESSID=8980824cb3c9d304b3ce0............) and on some of my other pages you can not see the session ID (eg: http://......./jan.php?echo)

1. Why is this happening?
2. Is it a security risk to have the session ID displayed in the URL?

mjax

These are added dynamically by PHP because the client doesn't accept session cookies.

wilna

Thank you, but isn't it a security risk to have it displayed in the URL? If yes, what can I do about it?

mjax

It's not a security risk per se. But you always should guard yourself against session hijacking. The most easy way to do this is to place this code where you have your session_start() command:

session_start();
if(version_compare(‘5.1.0’, phpversion(), ‘>’)) {
	session_regenerate_id(TRUE);
} else {
	unlink(ini_get(‘session.save_path’).’/sess_’.session_id());
session_regenerate_id();
}

This will generate a new session ID for every page visited, effectively making a hijacked session ID useless.