Rasmus Lerdorf wrote: > No, I think the check we need here is one that checks to see if the > session specified in the user-supplied PHPSESSID exists. If it does not > exist, toss that session id and replace it with a PHP-generated one. > > Perhaps Sascha has some thoughts on these two session-related things I'd > like to see changed/fixed? The second one being the implementation of > session_readonly() and the accompanying control of whether the gc uses > atime or mtime to gc sessions.
Ok.You are talking about more preventing user from accessing the same session ID always. That's one of my worry, too. I guess msession is already doing this. -- Yasuo Ohgaki > > -Rasmus > > On Mon, 19 Aug 2002, Yasuo Ohgaki wrote: > > >>Rasmus Lerdorf wrote: >> > Ok, then that is a bug that needs to be fixed before 4.3. >> >>This is one of the current session module behavior that I worry. >>We need at least strlen. (and char range check) >> >>I check them both in my save handler. (Not published session_pgsql, >>but my private session save handler) >> >>-- >>Yasuo Ohgaki >> >> >>-- >>PHP Development Mailing List <http://www.php.net/> >>To unsubscribe, visit: http://www.php.net/unsub.php >> > > -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php
