Securing Php Sessions Without Relying on Cookies
Posted on 2004-04-06
I am fairly new at php programming so please bear this in mind!
I have created a website in php that uses standard session code that if cookies are not enabled tags the session to the url. The problem that this presents is that if a logged in user sends the url to another user - with the tagged session attached to the url, the new user will have access to the users session - and therefore be able to access the users profile etc. The only way I can fix this is stopping the session being carried in the url. Users therefore have to have cookies enabled to use the site (login) - not entirely desirable.
Is there a secure way to pass the session data between pages without running the risk of users giving away their session data.