Hi Chris,
Chris Shiflett wrote:
M. Sokolewicz wrote:
"why is it this way" should also be posted to the general newsgroup, it barely has anything to do with internals
The behavior of the session extension has everything to do with internals. I'm not sure why everyone is sending him to php-general. No one there is going to be able to change this behavior. They can only suggest userland code to try to work around it.
The problem is that PHP uses any user-supplied session identifier when creating a new session. This increases the risk of session fixation.
If this behavior were changed, it would not completely protect developers from session fixation, but it would be a step in the right direction. I think the original poster was making this suggestion.
Thanks, Chris. Yes, that's what I was suggesting. I think I may be partly at fault for framing it as a question. I knew quite well that there was no way to change this behavior for PHP, but wanted to know if there was perhaps some good reason for why this behavior existed.
I know for my apps how to mitigate the threat of fixation (I think thanks to an article you wrote), but how many other people know this or make a habit of doing this (i.e. session id regeneration)?
-Hans
-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
