On May 20, 2013 8:45 PM, "Matijn Woudt" <tijnema@xxxxxxxxx> wrote: > > > On Mon, May 20, 2013 at 10:46 PM, David OBrien <dgobrien@xxxxxxxxx> wrote: >> >> On Mon, May 20, 2013 at 4:14 PM, Tim Schofield <tim@xxxxxxxxxxxxxxxx> wrote: >> >> > Matijn >> > >> > There are well over half a million lines of source code in PHP. It seems a >> > little unhelpful to tell someone to go and read half a million lines of C >> > when you could just tell them the answer? >> > >> > Thanks >> > Tim >> > >> > Course View Towers, >> > Plot 21 Yusuf Lule Road, >> > Kampala >> > T +256 (0) 312 314 418 >> > M +256 (0) 752 963 325 >> > www.weberpafrica.com >> > Twitter: @TimSchofield2 >> > Blog: http://weberpafrica.blogspot.co.uk >> > On May 20, 2013 6:24 PM, "Matijn Woudt" <tijnema@xxxxxxxxx> wrote: >> > >> > > On Mon, May 20, 2013 at 5:33 AM, 孟远涛 <yuantao.meng@xxxxxxxxx> wrote: >> > > >> > > > I find the Note in PHP document. >> > > > http://www.php.net/manual/en/function.session-id.php >> > > > >> > > > "Note: When using session cookies, specifying an id for session_id() >> > will >> > > > always send a new cookie when session_start() is called, regardless if >> > > the >> > > > current session id is identical to the one being set." >> > > > >> > > > I feel puzzled about this feature. Even if the current session id is >> > > > identical to the one one being set, session_start will send a new >> > > cookie. I >> > > > want to know why session_start behave in this way. >> > > > >> > > > Forgive my poor English. Thanks in advance. >> > > > >> > > >> > > You will find the answer in the PHP source code. >> > > If you don't want this to happen, check if the current session id matches >> > > with the value you want to set it to, and don't set if they match. >> > > >> > > - Matijn >> > > >> > >> >> I guess it would be to help prevent session hijacks like explained here >> >> http://stackoverflow.com/questions/12233406/preventing-session-hijacking > > > How would it help preventing session hijacking if it was sending the a new cookie with the same session id? > > - Matijn > I was thinking if I was sitting in a cafe and someone was sniffing and tried to use my session info they would get a new session id where I would still have my original one so they wouldn't be able to hijack mine trying to reuse the same id I have since php would generate a new one No?
