These questions are related: one and two, the former says it's used to prevent name conflict between apps in the same domain. The latter says it can be used for anti-session hijacking.
While the former appears to be the real purpose of session_name()
, I am not sure about the latter. Does it really protect against session hijacking? I think it can confuse the attacker in finding out cookie names instead of the default PHPSESSID
but is that all?
What's the real purpose of session_name()
?