But could you at least answer the question? What is the advantage of allowing user-supplied new session ids? I see no reason not to add a check for this.
On Tue, 20 Aug 2002, Sascha Schumann wrote: > On Mon, 19 Aug 2002, Rasmus Lerdorf wrote: > > > Well, while it is true that it is impossible to completely prevent, our > > I've been through this argument a couple of times and I don't > plan to spend more time on it. > > If you want your site to be safe, enable > session.use_only_cookies and be done with it. No amount of > checking on the server side can otherwise prevent this class > of attacks. > > - Sascha > -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php
