PHP Session Fixation / Hijacking

Question

I\'m trying to understand more about PHP Session Fixation and hijacking and how to prevent these problems. I\'ve been reading the following two articles on Chris Shiflett\'s

Answer 1

I did not read Shiflett's article, but I think you have misunderstood something.

By default PHP passes the session token in the URL whenever the client does not accept cookies. Oherwise in the most common case the session token is stored as a cookie.

This means that if you put a session token in the URL PHP will recognize it and try to use it subsequently. Session fixation happens when someone creates a session and then tricks another user to share the same session by opening a URL which contains the session token. If the user authenticates in some way, the malicious user then knows the session token of an authenticated one, who might have different privileges.

As I'm sure Shiflett explains, the usual thing to do is to regenerate a different token each time the privileges of a user change.