This is addressed by Zend_Session already. You should make sure that you re-generate the session id for every request, I usually include Zend_Session::regenerateId() in my bootstrap.
I would suggest reading the reference: http://framework.zend.com/manual/en/zend.session.global_session_management.html#zend.session.global_session_management.session_identifiers.hijacking_and_fixation Thx 2008/9/30 Robert Castley <[EMAIL PROTECTED]>: > The following article highlights security issues with session ID's. It also > goes on to say not to use URL re-writes. > > How does this affect ZF? The quick test provided in the link does indeed > expose my session ID when using Zend_Auth. > > http://www.theregister.co.uk/2008/09/29/sessionid_protection/ > > - Robert > > ________________________________________________________________________ > This email has been scanned for all known viruses by the MessageLabs Email > Security Service and the Macro 4 plc internal virus protection system. > ________________________________________________________________________ > -- ---------------------------------------------------------------------- [MuTe] ----------------------------------------------------------------------
