Hmm, you do have a P3P policy on your website yet it's not working? Review your policies. Does it change behavior depending upon your browser or is it more of a "is someone picking their nose in Cleveland right now" sort of deal? Of course, the browser's acceptance of the cookie entirely depends upon how their settings work versus the browser's P3P policy. It's possible that the browser's P3P policy won't accept any of your cookies in which case you need to come up with a different way of sending session information. I can't tell you more without more specifics but this should at least get you started. You can learn more about P3P here, here, and here. Here is a free P3P policy editor to make certain you don't miss anything.

Of course, you may also want to check whether or not your script is properly setting the headers. For this, I would direct you to Mozilla's Firebird. Install that and check out the extensions, specifically Live HTTP headers and Web Developer. These tools have helped me greatly in the past.

Sorry this was so long-winded. I hope this helps you with your problem.

If you're truly worried about getting the session ID from packets, then using cookies isn't going to help at all (they're passed over the wire too on every request). The only thing that will help is using a secure connection (HTTPS). Putting the session ID in the URL makes it more accessible, but as long as you expire the sessions at a reasonable time (and give the user a way to force expiration), someone gleaning IDs from browser history or something shouldn't be much of a problem.

You could in your code limit a cookie you receive to the certain IP you assigned it to, but even that isn't failsafe as caching proxy servers, for example, only have one IP for multiple users.

I Retrieve the cookie like this:
$_sessionid = cookie("sessionid");
[download]
I set it like this: (I'm using CGI's :standard)
$_s_cookie = cookie (-name => "sessionid",
        -value => $sessionid,
        -expires => "+1y"
        );
print header(-cookie => $_s_cookie,
-P3P=>"policyref=/w3c/p3p.xml");
[download]

It worked for a while, then it just quit working for some reason. It also works sometimes with some of our users.

Then sometimes it does not work. Same pages, same coding.

Just a strange thing, that I don't understand. The cookie ONLY contains the session id. Nothing else.

thx,
Richard

Try elminating the P3P policy and see if you still have the problem with cookies. I don't know much about P3P, but it probably isn't fully supported by all browsers. Do you really need it in the first place?

OT? ish? anyways...

I installed P3P, but the cookies still don't work 100% of the time, it's like they pick and choose when to work and when NOT to work.
There's a solvable issue here.. it's not random. Maybe address this in another post with the code you are using to get/set cookies and store session data.

Part of the reason of using a Session Id being so long, is to make it hard to guess. but being passed in every url, secure and not secure could be bad.
You most prevalent problem here is visitors copying the url for the page they are on and recommending it to others by pasting the url straight into a forum or similar..

Is there a way to make it work ONLY with that browser, but where it won't work if it's on another, such as a different version, or a different "platform" or a different IP?
Your session id is your only real point of reference. You can check the useragent, but (admittedly a while back) Opera changed it's useragent depending on whether or not the page was over https.. You can chek the IP but AOL users will have a different one every time and different users may appear to share the same IP (proxy servers)