On Fri, Apr 4, 2008 at 2:57 PM, Thiago Pojda <thiago.pojda@xxxxxxxxxxxxxxxxxx> wrote: >> De: Daniel Brown [mailto:parasane@xxxxxxxxx] >> >> <?php >> echo >> "http://www.domain.com/script.php?".session_name()."=".session_id(); >> ?> > > I think it was supposed to add those stuff automagically...? > > Not quite sure I understood. I found litle doc on that setting, most results > are people telling to not use it :) Probably because of the fear of session hijacking and spoofing. The thing is, a handwritten cookie is just as effective for that, by changing the PHPSESSID (or equivalent). In any case, a 32-byte hexadecimal hash should be sufficient security for most sessions. -- </Daniel P. Brown> Ask me about: Dedicated servers starting @ $59.99/mo., VPS starting @ $19.99/mo., and shared hosting starting @ $2.50/mo. Unmanaged, managed, and fully-managed! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
