Can I tell you more than what the subject says?
Close the browser, clean all your cookies, and open any page with that
?PHPSESSID=spoofme appended.
And see what  happens.

1) No cookies are left
2) a session 'spoofme' is created

Do you need more? Javascript url injection ad cross site scripting
become obsolete with this 'feature'.


I mean, as the zend site doesn't quite work like this (do the same test
proceeding as described above...) 
Their session to append to your cookie-enabled browser location are
Zend_Session_DB=whatever and Zend_Session_DB_SECURE=whatever2 on their
login page.

I don't know if this is related to the free downloadable version, and
the one they sell and adopt is more 'fortified'... they should clearly
state it then!


PHP General Mailing List (
To unsubscribe, visit:

Reply via email to