On 19 Feb 2014, at 14:04, Vernon Nemitz <vnemitz@xxxxxxxx> wrote: > Thank you for your feedback. > One of the other people who responded to my original message > indicated that in version 5.5.2 of PHP, a new initialization > thing was added, session.use_strict_mode > This will ignore the session ID in a URL, if the specified > session-file does not exist. Instead, a new session file > and ID will be created. Great, fine, lovely, except that it only has one effect: it prevents "bad guy" from choosing the name of his session. He will still be able to create an empty session by specifying a non-existent session ID when he makes the request. I really don’t see what use_strict_mode gives you for the situation you described. -Stuart -- Stuart Dallas 3ft9 Ltd http://3ft9.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
