PHPSESSID unless a different session name is passed via session_name(). You might think this is OK for scripts running in non-tabbed browsers, but tabbed browser pages running simultaneously can see one another's session data if they share a session name. That's probably not what you have in mind. Here is a simple solution for the problem: 1. On the far side of a secure login--that is, after the user is authenticated--have the first session-enabled script of your PHP application
require_once( 'session_start.php' ), which assigns a unique microtime-based name to a session before starting it:
<?php
// session_start.php
ini_set( "session.gc_maxlifetime", 1800 );
$session_name = 'sess' . str_replace( ".", "", microtime(true));
session_name( $session_name );
session_start();
?>
2. In every other session-enabled page of your app,
require_once('session_continue.php'):
<?php
// session_continue.php
if( isset( $_GET['_sess'] )) $session_name = $_GET['_sess'];
else if( isset( $_POST['_sess'] )) $session_name = $_POST['_sess'];
else die( "Session configuration error<br>\n" );
session_name( $session_name );
session_start();
?>
3. Keep both these scripts outside the web document directory tree, for example in
PHP_INSTALL_DIR/includes.4. When calling a page that needs session data, pass the session name in the form, eg:
printf("<INPUT type='hidden' name='_sess' value='%s'>\n", $session_name);
or if there is no form, specify the session name in the URL, eg:
header( "Location: pagetocall.php?_sess=" . session_name() );
As you see in the code, session_continue.php will pick up the session name.Last updated 22 May 2024
