I have a quick question I was hoping could shed some light on. I have to pages I wanted to pass an object between. Basically, my way of doing it was to serialize the object, and store it in a session variable that was randomized by an mt_rand between 0 and 99999. So for instance, you would load the page, it would generated 12345, and store the serialized object in $_SESSION[12345]. I then created a form that had that randomized value (12345) in a hidden input that was passed to the second page.

On the second page, the script would take that value, and look for it within the session, so, in this case, if $_SESSION['12345'] existed, it would load, but if not, it wouldn't. By doing this I would prevent people from loading the page with faked information on the object, or from reloading the page, as I destroyed both the object and the randomized value from the session at the end of the page. This was key to preventing an unfair exploit within my script.

My question is why this wouldn't work? The ranomized value would stay in the session, and the object would, but only for the first page. As soon as the second page was loaded, it was just gone, as if it had never been set.

I re-worked it so they are both stored within set variables, (in this case $_SESSION['object'] and $_SESSION['objectno']). It does work, and I think it will stop all the things that I expected to happen exploit-wise, so I don't think I absolutely need it to work the way I had originally planned. I'm really just interested as to why it didn't work.

If anyone could shed any light on this it would be greatly appreciated.