From 95e05a0d51c034523fab629357e5fc9c065ecd58 Mon Sep 17 00:00:00 2001
From: Derek Jones
While the session data array stored in the user's cookie contains a Session ID, unless you store session data in a database there is no way to validate it. For some applications that require little or no -security, session ID validation may not be needed, but if your application requires security, validation is mandatory.
+security, session ID validation may not be needed, but if your application requires security, validation is mandatory. Otherwise, an old session +could be restored by a user modifying their cookies.When session data is available in a database, every time a valid session is found in the user's cookie, a database query is performed to match it. If the session ID does not match, the session is destroyed. Session IDs can never be updated, they can only be generated when a new session is created.
+In order to store sessions, you must first create a database table for this purpose. Here is the basic prototype (for MySQL) required by the session class:
-- cgit v1.2.3-24-g4f1b