Im very confused about session ids and prevention variable poisioning. Say I have a script PHP/ASP dont matter. a function checklogin checks the username and password are valid and loggs you in by setting a variable login=true

Because the username and password are required, this prevents anyone from gaining access by setting loggin=true in a GET request, so the atacker tryes something like

www.mysite.com/index?login=true

and they dont get in because a password and username is required so even if they enter username and password into the get request they would need a valid password.

So typicaly I read that login scripts use a session ID to keep track of this data and prevent poisoning, but my question is this:

Why do I need to register any session variables?, if the password and username needs to be valid, then it would not mater if the data got to me in a GET, POST, PUT or cookie Theyd need a password.

So then whats the purpose of session id's???

Im confused beacuse the get request would need a valid username and pass wouldent mater if its associated with a session right?