[support] Why changing the session id?
Greg Knaddison - GVS
Greg at GrowingVentureSolutions.com
Fri Oct 17 14:07:57 UTC 2008
2008/10/17 Ámon Tamás <amont at 5net.hu>:
> I like to make a little shop, on my website. I like to give possibility
> to anonymous users to add some products to the cart. In the cart I try
> to store the user id and the session id (what is give the session_id()
> function). But the problem is, if a user is logged in the session id is
> changing. Why? And How can I access the anonymous user session?
If the same session is used before and after login then the site is
vulnerable to "session fixation." That's a fancy way to say "someone
could steal their account and use it for bad things."
You could add a destination to the login form which contains a unique
identifier that corresponds to whatever data you need to persist.
Regards,
Greg
--
Greg Knaddison
Denver, CO | http://knaddison.com | 303-800-5623
Growing Venture Solutions, LLC | http://growingventuresolutions.com
More information about the support
mailing list