I’m developing a shopping cart that uses for example Captcha to validate that a user is human. When an incorrect submission is received the user is redirected to the original validation page by
<?php header('Location:https://mysite.com/cart.php?PHPSESSID=mysessionid'); ?>
Unfortunately, if I do not send the session id in the URL I loose all my session data in the page and calls to session_start() initiate a new session. It seems that in PHP this is the only way to do this. I feel that this method is a bit insecure as any user could hijack a session by using the URL and using the session id that they obtained. This could be done by the user leaving my site and having the above URL be noted as the referring page in whatever site they browsed to next. Is there a better way to hide this variable? It seems like an awful big risk to allow this information to be out in the open and a medium to hijack sessions all the same space. Thanks for reading!
Usually PHP sessions are re-initialized from a HTTP cookie that the browser sends along with the initial request.
In essense, as long as the session cookie stays valid and gets sent, the user can freely direct the browser on any random page and have the session re-initialized on return.
If the session does not get re-initialized then a good place to start would be to find out “why?”.