Why can a user force php to create a session he's giving the name in the
Do you want me to list an half a dozen ways to get rich now with this
Does anyone understand the malice of this? 
Anyone can offer you a click on a session he's going to visit later and
hijack from you?
Anyone can post data in a black hole of his own and pass it around
Anyone can place precise strings in a precise file location on a server?
How is it that a user can force to have any session string, passed in
the URL, being created, even when cookies are fully funcional and
Is it possible that there is no policy on creating a new session? There
so much fuzz about register_globals, and we let the user create the
sessions they want?
Shouldn't we check that's us who issued the ticket? 

How is it that I cannot find a decent reply to these questions?


PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to