Jerry Stuckle wrote:
> Sanders Kaufman wrote:

>> If not - then the whole security issue is resolved by using $_GET and
>> $_POST correctly, right?
>
> Yes, you can use $_GET and $_POST (and $_SESSION). And if you leave
> register_globals off, then you *must* use them. Less chance for error.

So - as long as I explicitly reference $_SESSION[] when continuing a
session, I'm not subject to the security vulnerabilities of
register_globals, right?

One more thing - on the session token.
I notice that PHP puts it in the query string.
Is it possible to force that into a cookie?

I know this will mess with folks who turn cookies off, but I'm
accounting for that elsehow.