motorollin wrote:
The session ID can be stored in a cookie and passed to the web server, or passed between pages by storing it in $_SESSION. Either of these would be preferable to passing the session ID in the URL.
The PHPSESSION value stored in a Cookie or POST identifies the session to a new page in order to populate the $_SESSION super-global. So you can't store the session ID in a $_SESSION variable and expect it to work. A cookie is preferable to POST as the POST would require a hidden variable in a form rendered in plain-text html, and therefore subject to cache snooping after the fact.
Most of the time what happens is people are so overly paranoid about cookies that they don't allow them, period. This breaks many sites' functionality. Good, active anti-malware software and having third-party cookies disabled in the browser will generally keep users' machines clean (generally.) Disabling cookies altogether is a bad thing, IMHO.
I'll accept any cookie, so long as it's chocolate chip or white chocolate chip without the nuts. :crazy: