I’m trying to secure some information by creating/starting a session, and redirecting from page1.php to page2.php. page2.php checks for the Session ID “session” before it displays the content on the page.
Is there anything that will pass the name of the Session ID for users other than myself to see? Maybe with HTTP Headers or something or is it completely hidden since its processed in php before the page loads?
Generally, sessions in PHP are now handled with cookies - a bit of data that gets passed silently along by the browser when it makes a request for the page.
session_id() will return the current session’s identifier handle. the globally defined constant SID also holds this data.
However, there should be no need for a user to ever see this information - in fact, to reveal it is a potential security violation. Why would you want to do so?
its not that i want to make the session_id() visible, im just making sure that it isnt visible because if there is no session id, i dont want page2.php to display. I’m just trying to make sure its not possible to find out the session_id and then make page2.php visible after redirecting to that page
Dont use a session ID for this.
A session would only exist if page1 invokes session_start(), so… i’m confused about what you’re trying to do.
I have it setup like this
page1.php
session_start();
$_SESSION['session'] = 'session';
redirects to page2.php
page2.php
session_start();
if (isset( $_SESSION['session']))
{.....}
just trying to display content if the session id “session” was already created. is this not a safe way? can this be seen by a visitor?
okay you’re creating a variable CALLED session inside the session. (Hence the confusion!)
No, this is fine, and the expected way to handle sessions. The visitor will be unable to see the content of $_SESSION[‘session’]. (Unless you choose to print it out, of course)
ok thanks 
sorry for the confusion!
This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.