On Wed, 19 Feb 2014 15:21:51 +0000, Stuart Dallas wrote > On 19 Feb 2014, at 14:04, Vernon Nemitz <vnemitz@xxxxxxxx> wrote: > > > Thank you for your feedback. > > One of the other people who responded to my original message > > indicated that in version 5.5.2 of PHP, a new initialization > > thing was added, session.use_strict_mode > > This will ignore the session ID in a URL, if the specified > > session-file does not exist. Instead, a new session file > > and ID will be created. > > Great, fine, lovely, except that it only has one effect: it prevents > "bad guy" from choosing the name of his session. He will still be > able to create an empty session by specifying a non-existent session > ID when he makes the request. I really [WINDOWS-1252?]don?t see what > use_strict_mode gives you for the situation you described. > > -Stuart Well, it makes no sense for the bad guy to send a "desired" session ID to the server if it will always be ignored. That is, he might as well just go along with the normal usage that everyone else does, to get a session ID. It seems to me that that qualifies as a first step in not letting the bad guy get what he wants. vernonner3voltazim Vernon Nemitz -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
