Ok, I know that session_destroy wont delete all my session data, but just delete the variables with it... but for instance the session_id() will be the same. So my question is how can i make it so that let's say one people enter my site, and then decides to leave... but doesn't closes the browser window, then come back right in and wants to do other functions in the site but with a different session_id()?
Why do they need a different session id? It shouldn't matter whether they come back with the same session ID or not, as the session will be empty (you should clear it when they log out... no real need to "destroy" it).
That being said, it is a good idea to set the session ID from within your program after a successful login to prevent Session Fixation Attacks. This is where a malicious user will include a link to your site with the session_name in the URL. If you then start a session, PHP will use the value passed in the URL. Now, instead of the session ID being a one-in-two-million ID, they've fixed what it should be. It's now easy for them to hijack the session and pretend to be the other person (a little work involved in that, but you get the idea, I hope).
-- ---John Holmes...
Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/
php|architect: The Magazine for PHP Professionals – www.phparch.com
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
