Marek Kilimajer wrote: > COOOOOKIES, I'm talking about COOKIES. > > Anytime you talk about cookies or cookie files, you mean session and > session files, respectively. These are completely different things, > please don't intermingle them. session_set_cookie_params() ^^^^^^^ You're talking about a function whose name starts with session, which is in the sessions section of the PHP Manual: http://php.net/session_set_cookie_params The Cookie in question is used to uniquely identify a surfer with PHP's session files for that surfer. What exactly to you think this function *DOES* if you aren't using sessions and session files? NOTHING! It sets the file to be used when PHP sends the PHPSESSID Cookie which is used for PHP's Session files. Period. Thus my point remains: On a shared server, I don't need to resort to calling this function to hijack your Cookie/session. PHP can read the raw session files. I can write a PHP script to read the raw session files, regardless of what directory the Cookie is set to use to store/retrieve the Cookie whose purpose is to identify those files. This is not something you can "fix" in any real-world scenario where it matters. If you don't like that, don't use a shared server. It's that simple. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php