Hi Folks,
Bit of an unusual question here, which is basically as a result of my lack
of understanding as to how Sessions work.
I've created a Captcha image solution for an application I look after, and
when we came to look into something that required debugging, I realized I'm
using sessions without understanding how they work.
Basically, the login includes an image, and textbox for the captcha text.
The image then generates a session with a variable name of x, and a value of
the characters from the captcha image. The user then logs in, including the
text on the graphic.
## IMAGE CODE:
session_start();
$_SESSION['captcha_text'] = $randomly_generated_text;
The login check page obviously checks the username and password, and also
does the following:
## CHECK LOGIN CODE
session_start();
if ($_SESSION['captcha_text']!=$_POST["captcha_text"]) {
#FAIL LOGIN TEXT
}
session_destroy();
It works a treat, however what I want to understand is how the session is
kept relevant to that particular user's session - mainly because my boss
wants to check there's no security implication.
We've thought this through and believe that in other applications, there is
also a cookie or post/get variable set in the form, which includes a
reference to the session name.
Are we missing something, or is it really magic?
Cheers
Nunners
