Sascha: > If you want your site to be safe, enable > session.use_only_cookies and be done with it. No amount of > checking on the server side can otherwise prevent this class > of attacks.
By the way, does session.use_only_cookies work with session.use_cookies=off? I'm using an alternative method (HTTP Basic Authentication) for the session id propagation, and would like to prevent users from setting the sid in get/post parameters. mk -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php
