> Any propagation, doesn't matter. > The passed id must exist, otherwise discarded and regenerated. > I saw that php already creates the session at the start. > > The possibility to count on a stable name, because recreable anytime > and though surviving gc, is a great weaknes for that tipe of snoop. > php has to have the nicely dedicated devices to generate the id.
And it does. The session ids are not predictable, especially if you set the entropy source to something like /dev/urandom in php.ini -Rasmus -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php
