That may not be the only module, but now we know what we are looking for (strangely encrypted sessions in the database is one big giveaway now) and it only requires a small config change to make everything work so everyone should be dancing.
What's interesting is that it protects php invisibly on a virtual host, because the bulk hosting end of the market has no access to their log files so can't see that something is examining their sessions for possible security issues and then locking down. It would be a great piece of software for running WorldPay itself, as it stops people intercepting sessions URL variables or session cookies, so if one only need to stay in the same website it's fantastic, it's a right bugger when you need WorldPay to talk outside of it's box and it doesn't inform you that it's going to cut the lines of communication.
That jon> bloke, seriously, he has done a sterling effort, because he could just have walked away from WorldPay and we would never have known the answer and the same old "I don't get told a payment's been made" or "my session's being dropped" or "I have a redirect failing on line 22 because the headers have already been sent". ALL of these bugs can be caused by that additional invisible module. (some of them can be caused by people being silly too, but hell, I'm one more step closer to enlightenment ).
Philip.



