Not to be rude or anything, but this question is better suited for php-general
-Jeremy On Tue, 29 Mar 2005 12:47:29 -0500, Hans L <[EMAIL PROTECTED]> wrote: > Hi, > > This may not be the right place for this question, but what I'm looking > to understand is the reasoning behind what seems to be the standard > session behavior in PHP. And, if it's possible, how to change this > behavior (via INI settings, etc.). > > As I understand (and experience) it, if a client [browser] presents a > session id (e.g. in a cookie) to the server, then PHP will attempt to > match that ID to the session on the system. If found, that session > information will be made available to the scripts. Fine. But, if *not > found* then a new session will be created with the specified ID. > > Is there any way to disable this behavior? I can't think of a single > circumstance under which this would be the desired behavior, but my use > of sessions has been more limited to authentication & web applications. > I know about using session_regenerate_id() after authentication, to > prevent fixation, but it seems like this is a workaround for a more > fundamental problem in PHP session behavior. > > On a side note, does anyone know if Hardened-PHP exhibits the same behavior? > > Thanks, > Hans > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > > -- --------------------------- Jeremy Johnstone http://www.jeremyjohnstone.com [EMAIL PROTECTED] -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
