[PHP] why manual says 'don't use session_register'?

The manual has many cautions that say 'do not use session_regiister,, session_is_registered, session_unregister, when the ini setting is register_globals=off. But they still do work, it seems. Or how exactly do these function work differently than with reg_globals On? Can I still continue to

Re: [PHP] disabled cookies and sessions

Nick Wilson wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 * and then Chris Sechiatano declared You have to code the PHPSESSID into your URL if your browser has cookies disabled or else it won't work. No. As I said, i have php compiled with --enable-trans-sid Php

[PHP] Re: emulating --enable-trans-sid -- project idea?

Justin French wrote: Hi all, About 2.30 in the morning I started kicking around an idea, based on the recent discussions on sessions, and what --enable-trans-sid did. From my understanding: + if there is no session cookie, set a cookie AND append a session ID to URLs on the

[PHP] Re: emulating --enable-trans-sid -- project idea?

Justin French wrote: Hi all, About 2.30 in the morning I started kicking around an idea, based on the recent discussions on sessions, and what --enable-trans-sid did. From my understanding: + if there is no session cookie, set a cookie AND append a session ID to URLs on the

[PHP] the ?PHPSESSID=spoofme 'bug'

Can I tell you more than what the subject says? proceeding: Close the browser, clean all your cookies, and open any page with that ?PHPSESSID=spoofme appended. And see what happens. 1) No cookies are left 2) a session 'spoofme' is created Do you need more? Javascript url injection ad cross

[PHP] Re: the ?PHPSESSID=spoofme 'bug'

I myself wrote: Can I tell you more than what the subject says? proceeding: Close the browser, clean all your cookies, and open any page with that ?PHPSESSID=spoofme appended. And see what happens. 1) No cookies are left 2) a session 'spoofme' is created Do you need more?

[PHP] Re: the ?PHPSESSID=spoofme 'bug'

Giancarlo Pinerolo wrote: I myself wrote: Can I tell you more than what the subject says? proceeding: Close the browser, clean all your cookies, and open any page with that ?PHPSESSID=spoofme appended. And see what happens. spoofme is not the exact term. ?PHPSESSID=hijackme

[PHP] session security

Why can a user force php to create a session he's giving the name in the URL? Do you want me to list an half a dozen ways to get rich now with this holes? Does anyone understand the malice of this? Anyone can offer you a click on a session he's going to visit later and hijack from you? Anyone