>> But the real issue here is about session hijacking. Yes, of course >> people can send whatever session id they want to PHP. Since the >> session id comes from the user we need to accept what is sent. > > This is what I consider unconceivable. > Why ever should tickets issued by the user be accepted, to what pro? > Something clashes here with that 'very umpredictable dedicated device'. > I'd prefer no acceptance of user provided id, if not where expressely > configured.
There is a simple solution, make sure your the one generating the IDs, and upon each "proper" session start (where no session id is passed in) set a session "I started this session" variable. If a session ID has been passed in, then check for that variable, if it exists - continue, if not then show an error message. Note: you will experiance the same problem if the session times out. -- Dan Hardiker [[EMAIL PROTECTED]] ADAM Software & Systems Engineer First Creative Ltd -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php
