Kristina Anderson wrote:
Yes, but if I do $_SESSION['cart_id'], it is effectively the same
thing, I'm using this random string as an identifier for the unique
cart. This is effectively the same as $_SESSION['session_id'] -- only
the name is different.
No, it is not effectively the same.
First off, by doing $_SESSION['cart_id'] instead of manually generating
your own session id, you get the power of PHP working for you in that it
has already done all the things are are attempting to code manually
built right into that session_start() command.
In your examples, you could use the following on every page:
-----
session_start();
if (!isset($_SESSION['cart_id']))
{
session_regenerate_id();
$rand=rand(1,9);
$cartid=$rand.substr(md5($REMOTE_ADDR), 0, 11+$rand);
$cart_id.=substr(md5(rand(1,1000000)), rand(1,32-$rand), 21-$rand);
$_SESSION['cart_id'] = $cart_id;
}
----
This will generate a new id for every person coming into your site, and
give them a cart id.
Secondly, you can regenerate that session id anytime you want and not
lose the cart. So if your collecting a credit card at some point in
your process, someone can't do something like:
Buy this cool book at
http://www.yoursite.com/displayitem.php?itemid=xyz&PHPSESSID=abc
Thus forcing the session id to be set to abc, and then monitoring the
verification page of the checkout process to grab that persons personal
details once they are entered.
Instead, when someone enters the checkout process place the following
bit of code at the top:
----
session_start();
session_regenerate_id();
----
This means that even if someone did manage to fixate the session for
that person, as soon as you begin the checkout process you generate a
new session id for them.
And the cool part is $_SESSION['cart_id'] will be copied along from the
old session id to the new session id without you having to do anything
at all.
All of the above code suggestions are merely a band aid to fix your
original stated goal with minimum amount of code. This requires making
a few lines of change to the top of most of your PHP scripts, and
changing any refferences to the session id to the cart id. This should
not be taken as an endorsement that this is the best way to program the
overall goals, just that it solves this itty bitty problem.
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com
Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php
