Hi Arpad, On Mon, Aug 5, 2013 at 6:22 PM, Arpad Ray <array...@gmail.com> wrote:
> I thought we were in agreement about doing this properly in PHP.next? My > arguments against this version of the patch still stand: We had long discussion and decided to apply maintained branches as security enhancement more than a year ago. We also planned to apply the patch into 5.3 originally, but 5.3 is security fix only now. Anyway, if users are resetting session id properly, they are protected against session adoption attacks. However, users are not protect their apps properly, then they are at the risk of session adoption. This fix is rather important for PHP, since there are many setups that share PHP with many apps. That's the reason why we decided to apply this patch into maintained branches. PHP web server admins should feel much safer than before with this feature. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net