If a user changes the value of a cookie called PHPSESSID, a new session is created on the server with the name that the user entered in PHPSESSID cookie ... Can this be prohibited as it is on the server side? After all, it would be more logical to leave only the server the ability to generate names for new sessions ...

For example, there may be settings for php that would force the PHPSESSID transmitted from the user to exist, and if such a session does not exist on the server, the server will give the user a new session with an auto-generated name.

<? session_start(); echo session_id(); //Сервер выдал нам сессию типа 61kc4inq1ho82vp4pkrdrgm6q6l1nmfphuy //теперь вручную меняем значение куки PHPSESSID на hello-admin //Обновляем страницу и на сервере создаётся новая сессия с названием hello-admin //И соответственно session_id() выдаёт теперь hello-admin ?>
  • At user login and initial session creation, generate another cookie with a random value and write this value into the session. After the start of the session, check the cookie and the value from the session. - Visman
  • Thanks for the idea as an option I think you can do that. - ice

0