- tul
Hans L wrote:
Ok, I'll post it there. I thought that it was more a question of "why is it this way?" than "how do I do XXXX?".
Thanks, Hans
Jeremy Johnstone wrote:
Not to be rude or anything, but this question is better suited for php-general
-Jeremy
On Tue, 29 Mar 2005 12:47:29 -0500, Hans L <[EMAIL PROTECTED]> wrote:
Hi,
This may not be the right place for this question, but what I'm looking to understand is the reasoning behind what seems to be the standard session behavior in PHP. And, if it's possible, how to change this behavior (via INI settings, etc.).
As I understand (and experience) it, if a client [browser] presents a session id (e.g. in a cookie) to the server, then PHP will attempt to match that ID to the session on the system. If found, that session information will be made available to the scripts. Fine. But, if *not found* then a new session will be created with the specified ID.
Is there any way to disable this behavior? I can't think of a single circumstance under which this would be the desired behavior, but my use of sessions has been more limited to authentication & web applications. I know about using session_regenerate_id() after authentication, to prevent fixation, but it seems like this is a workaround for a more fundamental problem in PHP session behavior.
On a side note, does anyone know if Hardened-PHP exhibits the same behavior?
Thanks, Hans
-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
