I've seen a PHP security tutorial where it says never to accept $_SESSION identifiers from GET or POST variables due to session hijacking and fixation. It annoyingly doesn't go into any real detail on this though.
In an application I'm building I have a $_SESSION value that is the $username variable that is set when a user logs in. This value is taken from the database, but is later used in GET requests via URL parameters:
$_SESSION['username'] = $username;
Note: The $username and all other data is sanitized going into the database and escaped when being fetched from the database.
Is the above session name a real no-no? And if this is indeed bad practice should I be using the user id from the database or similar information that is never publicly displayed (e.g. in a url parameter)?
Using the $username variable is handy because I use it in url parameters as well via the $_SESSION value, an example of which is below:
<a href='<?php echo "profile.php?username={$_SESSION['username']}"; ?>'>My Profile</a>
When a user logs in the actual session id is regenerated with session_regenerate_id(true);
so the id of each session changes each time the user is authenticated.
Any advice would be greatly appreciated.