Thank you, Adam! I'm glad you enjoyed the article. I'm tired of seeing all these clichés people throw out concerning PHP. We've heard it all before. It just cries out for some originality.

As for your question, I'd definitely go down the storing the session ID route. That way if anybody is wishing to hijack a session, they'd have to either fixate the ID (which we can protect against), or be lucky enough to get a ~32-bit hexadecimal string.

The dilemma of users passing a link, unintentionally or otherwise, to another user, can be prevented by only allowing the session to come from a cookie. This way, the only real way that a session can be hijacked in that sense, is by transferring a cookie to a user and telling them to put it in their cookie folder - and who's silly enough to do that? Sound too much like hard-work to me!

Of course, if you go down the route of preventing the session ID coming from a URL parameter (session.use_only_cookies), then you're not supporting those individuals who have cookies disabled. These days, however, the minority of individuals who have browsers that either do not support cookies, or have their cookies disabled by their users, is negligible when you consider the potential damage that can be caused from session hijacking.

__________________
The man who comes back through the Door in the Wall will never be quite the same as the man who went out.