On Mon, May 20, 2013 at 10:46 PM, David OBrien <dgobrien@xxxxxxxxx> wrote: > On Mon, May 20, 2013 at 4:14 PM, Tim Schofield <tim@xxxxxxxxxxxxxxxx> > wrote: > > > Matijn > > > > There are well over half a million lines of source code in PHP. It seems > a > > little unhelpful to tell someone to go and read half a million lines of C > > when you could just tell them the answer? > > > > Thanks > > Tim > > > > Course View Towers, > > Plot 21 Yusuf Lule Road, > > Kampala > > T +256 (0) 312 314 418 > > M +256 (0) 752 963 325 > > www.weberpafrica.com > > Twitter: @TimSchofield2 > > Blog: http://weberpafrica.blogspot.co.uk > > On May 20, 2013 6:24 PM, "Matijn Woudt" <tijnema@xxxxxxxxx> wrote: > > > > > On Mon, May 20, 2013 at 5:33 AM, 孟远涛 <yuantao.meng@xxxxxxxxx> wrote: > > > > > > > I find the Note in PHP document. > > > > http://www.php.net/manual/en/function.session-id.php > > > > > > > > "Note: When using session cookies, specifying an id for session_id() > > will > > > > always send a new cookie when session_start() is called, regardless > if > > > the > > > > current session id is identical to the one being set." > > > > > > > > I feel puzzled about this feature. Even if the current session id is > > > > identical to the one one being set, session_start will send a new > > > cookie. I > > > > want to know why session_start behave in this way. > > > > > > > > Forgive my poor English. Thanks in advance. > > > > > > > > > > You will find the answer in the PHP source code. > > > If you don't want this to happen, check if the current session id > matches > > > with the value you want to set it to, and don't set if they match. > > > > > > - Matijn > > > > > > > I guess it would be to help prevent session hijacks like explained here > > http://stackoverflow.com/questions/12233406/preventing-session-hijacking How would it help preventing session hijacking if it was sending the a new cookie with the same session id? - Matijn
