In a vhost environment, it seems tat any script can flush all existing sessions that use the common save_path by lowering his gc_maxlifetime and seting his gc_probability to 100%.
Both gc_maxlifetime and gc_probability values are INI_ALL, even when the sessio.save_path is set to everybody's cauldron, on /tmp. This will make possible for any vhost to block other vhosts' session management. Maybe it should be INI_ALL *only* when a particular save_path is specified, so that will influence only his sessions? Or does it exist some fault setting by which anyone could have the privileges to force gc on some other vhosts' session by specifying *also* the other vhost's save_path? Giancarlo -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php