Hi, i fully support rasmus, saying that we should mention the default configuration as unsafe in the documentation.
Unlike Mr. Lorch or similiar people i do not think its our resposibility to configure the server for the admin. And i am a little bit tired about this whole session takeover discussion. Because in the end its our responsibility to design a secure new unsniffable protocol and develop clients and servers for it. Because THIS would be the only way to stop session takeovers. As long session IDs are transferred over http/https they are unsecure *POINT* If you want to blame someone go and bitch at Microsoft who endangers about 70% of all session-ids out there. Stefan -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
