I'm developing a shopping cart that uses for example Captcha to validate that a user is human. When an incorrect submission is received the user is redirected to the original validation page by
<?php header('Location:https://mysite.com/cart.php?PHPSESSID=mysessionid'); ?>
Unfortunately, if I do not send the session id in the URL I loose all my session data in the page and calls to session_start() initiate a new session. It seems that in PHP this is the only way to do this. I feel that this method is a bit insecure as any user could hijack a session by using the URL and using the session id that they obtained. This could be done by the user leaving my site and having the above URL be noted as the referring page in whatever site they browsed to next. Is there a better way to hide this variable? It seems like an awful big risk to allow this information to be out in the open and a medium to hijack sessions all the same space. Thanks for reading!
