I’ve been working with PHP sessions, and everything is working fine it does exactly what I need.

Then I started to look into potential security issues further and found this:

http://phpsec.org/projects/guide/4.html

Notice that all that was being used was to determine existing session or new session ‘status’ is:

session_start();

…and yet I have seen this sort of thing many times before:

<?php
if (isset($PHPSESSID))
{
    session_start($PHPSESSID);
}else{
    session_start();
};
?>

I had assumed that this would allow some other processing on second call or that it’s logic allowed the session to restart with the same session ID for a different page for example.

However I already thought that the plain session_start() already had logic to determine if a session had been established elsewhere because it ‘knows’ to retain an existing session ID rather than issuing a new one, unless it needs to of course!

So I tested the above and I couldn’t get it to work at all.

<?php
if (isset($PHPSESSID))
{
        $oldsession = "On";
        $newsession = "Off";
        session_start($PHPSESSID);
}
    else
{

    session_start();
    $newsession = "On";
    $PHPSESSID = session_id( );

};

            echo 'ClientSessionID : '.$PHPSESSID.'<br>';
            echo 'Refreshed Session : '.$oldsession.'<br>';
            echo 'New Session : '.$newsession.'<br>';      
?>

Either I’m missing something or this code could never have worked. The $oldsession NEVER gets echo’ed even though the session is retained. I conclude that the test on $PHPSESSID never works.

So my question is: Assuming the sample test code is syntactically correct, is it even plausible to attempt to pre-determine the session ‘status’ BEFORE calling session_start() ? And if so how would you go about it?

As the article goes on to show, using the (assumed) resulting session variables after a session has started is the only way to send the code in a different direction, so I’m thinking this is actually the only way to do it.