Op 21 mei 2013 03:59 schreef "David OBrien" <dgobrien@xxxxxxxxx> het volgende: > > > On May 20, 2013 8:45 PM, "Matijn Woudt" <tijnema@xxxxxxxxx> wrote: > > > > > > On Mon, May 20, 2013 at 10:46 PM, David OBrien <dgobrien@xxxxxxxxx> wrote: > >> > >> On Mon, May 20, 2013 at 4:14 PM, Tim Schofield <tim@xxxxxxxxxxxxxxxx> wrote: > >> > >> > Matijn > >> > > >> > There are well over half a million lines of source code in PHP. It seems a > >> > little unhelpful to tell someone to go and read half a million lines of C > >> > when you could just tell them the answer? > >> > > >> > Thanks > >> > Tim > >> > > >> > Course View Towers, > >> > Plot 21 Yusuf Lule Road, > >> > Kampala > >> > T +256 (0) 312 314 418 > >> > M +256 (0) 752 963 325 > >> > www.weberpafrica.com > >> > Twitter: @TimSchofield2 > >> > Blog: http://weberpafrica.blogspot.co.uk > >> > On May 20, 2013 6:24 PM, "Matijn Woudt" <tijnema@xxxxxxxxx> wrote: > >> > > >> > > On Mon, May 20, 2013 at 5:33 AM, 孟远涛 <yuantao.meng@xxxxxxxxx> wrote: > >> > > > >> > > > I find the Note in PHP document. > >> > > > http://www.php.net/manual/en/function.session-id.php > >> > > > > >> > > > "Note: When using session cookies, specifying an id for session_id() > >> > will > >> > > > always send a new cookie when session_start() is called, regardless if > >> > > the > >> > > > current session id is identical to the one being set." > >> > > > > >> > > > I feel puzzled about this feature. Even if the current session id is > >> > > > identical to the one one being set, session_start will send a new > >> > > cookie. I > >> > > > want to know why session_start behave in this way. > >> > > > > >> > > > Forgive my poor English. Thanks in advance. > >> > > > > >> > > > >> > > You will find the answer in the PHP source code. > >> > > If you don't want this to happen, check if the current session id matches > >> > > with the value you want to set it to, and don't set if they match. > >> > > > >> > > - Matijn > >> > > > >> > > >> > >> I guess it would be to help prevent session hijacks like explained here > >> > >> http://stackoverflow.com/questions/12233406/preventing-session-hijacking > > > > > > How would it help preventing session hijacking if it was sending the a new cookie with the same session id? > > > > - Matijn > > > > I was thinking if I was sitting in a cafe and someone was sniffing and tried to use my session info they would get a new session id where I would still have my original one so they wouldn't be able to hijack mine trying to reuse the same id I have since php would generate a new one > > No? If you read the original question correctly, it's about a *new cookie* with the *same session id*. Second, if somebody is sniffing you he would also be able to grab the new session id, and yours (old and new one) will be useless if he uses the new session id before you do. Avoiding session hijacking is not that easy, it's much easier to just use an SSL connection. At least that protects you from someone sniffing on a public wifi, but it does not help against sniffing viruses, malicious browser extensions or cross site scripting attacks. Since it's off topic, I'll end here. If you want to learn more, Google is your best friend! - Matijn
