Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
I've got a problem with my site sending the session cookie as request data the first time the site is loaded. Subsequent pages visited store the session cookie as a cookie.
Its unfortunate that I can;t give access to the code, as Its tie property of my company.
Under what cercumstances do what appears in code to be just a url, such as new_dev.php, gain the request data ?PHPSESSID=35a3fa289241800acf3a0748575048a1
??
This is causing problems elsewhere in my site, because sessions are disappearing.
Has anybody had a similar problem and found a solution?
You need to have the session store in the cookie which is the default or you can have it sent in the url each time a new page is ngin requested for. Normally its in the form of sid something.php?sid=35a3fa289241800acf3a0748575048a1¶mters=somethingelse
I believe the SID is send along in the URL when the session is created, and will disapeer in your next page request. This can be turned off by changing session.use_trans_sid = 0 in your php.ini.