* Thus wrote Monty ([EMAIL PROTECTED]):
>
> session_start()
>
> if (!$_SESSION['loggedin']) {
>
> session_destroy();
> header("Location:/login.php"); // Send to Log-In page.
> }
>
> Is this the most efficient way to do this? I'd prefer to not have to start
> then immediately destroy the session if it's possible to first know whether
> a session exists without starting it.
Yes. But you dont *need* to destroy() the session. btw, your
Location header should be like this:
Location: http://domain.com/login.php
>
> I have my site set to store the PHPSESSID in a cookie only (not passed via
> URL), so, would checking for the existence of $_COOKIE['PHPSESSID'] be a
> reliable way of doing this?
A cookie can easiy be sent without ever being assigned one. Doing
this will open a large hole in your security model.
Curt
--
"I used to think I was indecisive, but now I'm not so sure."
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
