Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I am using PHP 4+ and I am working in a project of osCommerce, where I encounter with the session id in the url, so i just need to know, is it a good practice display the session id on the url? if yes then why? and if no then why? and how can i hide the session id in url and use any substitute string there in url?
There’s no point putting a substitute string in there – the point is, that if you are using URL-driven rather than cookie-driven session tracking, what is in the URL must identify the session. Whether it’s the actual session ID or something that it can be derived from is neither here nor there – you’re not making things any more secure by obfuscating.
Whether it’s a good idea depends partly on the added security around it. If you can take a session-embedded URL from one machine to another and just carry on as if the same user in the same session, then no, it isn’t. But you need to know more about the site behind it all to answer the question.