Sessions
I've gone through and made my own login system, so I'm familiar with how they generally work. Now, I've gone around and looked into making sessions safer, and I have a question.
A concept I found pretty snazzy was that you don't start the session until after they successfully log into a site. That's awesome. My question is pretty quick: on all the following pages, what would the if statement look like to start the session? Would the following work?
If so, is it still possible for an attacker to force a session to start if they know the name of your session cookie? On a site where registration is open to the public, is there any benefit from keeping sessions for logged-in users, when anyone can come and register?
A concept I found pretty snazzy was that you don't start the session until after they successfully log into a site. That's awesome. My question is pretty quick: on all the following pages, what would the if statement look like to start the session? Would the following work?
if($_COOKIE['name_of_session']) session_start()If so, is it still possible for an attacker to force a session to start if they know the name of your session cookie? On a site where registration is open to the public, is there any benefit from keeping sessions for logged-in users, when anyone can come and register?
