At 08:47 24.11.2002, Jean-Christian Imbeault said:
>Ernest E Vogelsinger wrote:
> >
>>     if ($_COOKIE[$_SESSION['cookie_name']] == $_SESSION['cookie_token']) {
>Ok, please forgive my ignorance, but in PHP isn't $_COOKIES the same as 
>$_SESSION?. I thought it was if the user had cookies turned off (and 
>even if the user had cookies turned on come to think of it) ... If not 
>I'm in trouble.
>I was always under the impression that $_SESSION vars were passed as 
>cookies ...

No, that's a misunderstanding. Session var's are never passed to and from
the client, only the session _name_ is passed, either via a cookie
(PHPSESSIONID) or via trans-sid href encoding.

Session vars are kept server-side in session storage, which is (by default)
a file located in the directory where session.save_path is pointing to. The
default file name  is sess_<session-identifier>. The client only transmits
the session identifier so the server is able to correlate a session to a
particular request.

What I did for this particular application was to extend the system with a
cookie that's programmatically sent, using a random cookie name and a
random cookie content. Thus I am able to distinguish between multiple
logical sessions using the same session identifier, a scenario that could
happen when a URL containing a trans-sid has been bookmarked or transfered,
or when the client had opened a new window within the same session and
continued in "split mode".

Whatever the client passes to PHP as a cookie you can access in the
$_COOKIES array. Whatever PHP has stored in session storage can be accessed
in the $_SESSION array. They are quite different.

   >O     Ernest E. Vogelsinger
   (\)    ICQ #13394035

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to