php.net states:
session_start() creates a session or resumes the current one based on a session identifier passed via a GET or POST request, or passed via a cookie.
There are some discussions on setting/changing the session id or the right usage of session_start (here, here, here, here or here).
I want to make sure that the user's session is re-used, so I would think that I need to pass the Session-Id. But it seems that just calling session_start is enough for re-identifying the user (and hers authentication).
This code would be fine?
// helper:
<?php
function isUserAuth(){
if(session_status() === PHP_SESSION_ACTIVE){
if ($_SESSION['auth'] === 1) { // set in user-login.php on success
return true;
}
}
return false;
}
?>
// some endpoint
<?php
session_start();
if (!isUserAuth()) {
header('HTTP/1.0 403 Forbidden');
exit(getSingleMsgJson('api:error:noSession'));
}
// or do things here: user is authenticated
?>
Would setting the Session Id with the original Session Id from the login change anything here? How would I resumes the current [session] based on a session identifier passed via a GET or POST exactly?
