On 27/01/2022 21:06, paulf@xxxxxxxxxxxxxxxxx wrote:
On Thu, 27 Jan 2022 11:40:52 -0500
Aziz Saleh <azizsaleh@xxxxxxxxx> wrote:
You can run an example test via browser to see it in action:
-----------------------------
$name = isset($_GET['name']) ? $_GET['name'] : 'PHPSESSID';
echo 'Name: ' . $name . '<br/>';
session_name($name);
session_start();
echo 'Cookie/Session name: ';
echo session_name();
echo '<br />';
echo "Value: " . session_id();
--------------------------
Change ?name=SESSION_Name
I've been studying the cookies on the server and in Firefox's local
cache of cookies, and reading up on the cookie "process".
Follow up question: When your browser requests a page from the server,
does it send *all* the unexpired cookies where that server is the host,
regardless of the actual page being requested?
Paul
The short answer is yes.
The long answer, it depends on the individual cookie settings. If a
cookie is set for a different subdomain (but the same main domain) it
will not be sent. Typically to avoid this a cookie might be linked to
example.com (or .example.com for compatibility with much older browsers)
rather than foo.example.com
Cookies can be set to secure mode, which means they only get sent on
HTTPS requests, and not for HTTP requests.
Also, the path of the cookie can have an affect on whether it's sent
with a request or not. The path portion must be in the path being
requested, which is why cookies almost always are seen having their path
set to just /
Finally, cookies now have a SameSite option, which is intended to
prevent them being sent as part of a CSRF request.
--
Ashley Sheridan
https://www.ashleysheridan.co.uk
