Vernon Nemitz wrote: > But what actually happens is that session_start() creates > a brand-new session-data-file using the ID that had been > supplied in the URL. Our bad guy now has his own private > session started! What is not a problem per se (unless your authorization check depends solely on the fact that a session exists, what would be very bad). The only problem with this is that it makes session fixation attacks easier. If you don't want to deal with session_regenerate_id() (or don't consider it safe enough), you can enable session.use_strict_mode. -- Christoph M. Becker -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
