I haven't looked in any detail at these functions, but wouldn't you be able to prevent fixation by inquiring whether a particular session was already started? -- rather than PHP's current (IMHO flawed) behavior where a new session is simply started with whatever session is is passed in.
It would raise the bar, but that's about it.
An attacker visits your site (to initiate the session), determines the assigned session identifier, and then uses that session identifier (which now references an initiated session) for the session fixation attack.
Chris
-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
