Thanks benracer.
There's some interesting and eye-opening info. Wow...much more to security than what I had previously read e.g. when and when not to use cookies with sessions and other ways sessions could be hijacked.
Now on to finding resources for various configurations that work better for certain situations than for others and which parameters to use to make the configuration more sound.
References provides a lot of parameters, but examples don't seem to use many of them and then only others seems to be discussed when folks are troubleshooting their particular situation. Having all of those options is fine as sessions code needs more bells and whistles, but I'm trying to put the time upfront to reduce all of the troubleshooting with browser differences, etc. in addition to providing a good secure starting point.
Here's the confusion -- you read when some folks say, "do it this way", then others counter that and say, "you shouldn't do it that way", and another mentioned that sessions carried over tabs in Firefox and Opera, but wasn't preserved in IE if new windows were opened using the start menu or from the file menu - then with that said, doesn't say under what condition that should be a concern; etc.
I want to configure sessions to work securely in all of the major browsers for the situation I've described in my initial post, so finding resources on those browser's idiosyncrasies, etc. is what I'm looking for then, if need be, I could create 'if' conditions. But then getting around what I've read that there's no sound way to determine if the browser type, etc. provided by environment params is accurate/reliable or even available...and on and on...
I'll begin putting together code for this and revising it as I continue to gather more info. Any suggestions that would assist in this endeavor is welcomed.
...and the beat goes on...
Thanks.
