[drupal-devel] Seems like form validation might fail with some users

Richard Archer drupal.org at juggernaut.com.au
Mon Nov 7 00:22:22 UTC 2005


At 6:09 PM -0500 6/11/05, Jeremy Andrews wrote:

>Is there ever a time where the session_id may change from
>page to page (ie, what if cookies are disabled in the
>browser, and the server isn't configured to embed session
>ID's in the URL?)

I used to work on the PHPLIB project, and the user's session ID
was always very stable and consistent. I never saw a support
request about lost sessions that wasn't caused by a bad
configuration of either browser or more usually the application.

So I think that if the session ID has changed from when the
form is shown to when it is submitted, that is a good enough
reason to invalidate the submission.

+1 to use session_id().

 ...R.



More information about the development mailing list