While implementing a flash-based uploader, we were faced with an issue: Flash doesn't provide the correct cookies. We need our PHP Session ID to be passed via a POST variable.
We have come up with and implemented a functional solution, checking for a POST PHPSESSID.
Is POSTing the Session ID as secure as sending it in a cookie?
Possible reason for: Because both are in the http header, and equally possible for a client to forge. Possible reason against: Because it's easier to forge a POST variable than a Cookie.