On 19 Feb 2014, at 16:26, Vernon Nemitz <vnemitz@xxxxxxxx> wrote: > On Wed, 19 Feb 2014 15:21:51 +0000, Stuart Dallas wrote >> On 19 Feb 2014, at 14:04, Vernon Nemitz <vnemitz@xxxxxxxx> wrote: >> >>> Thank you for your feedback. >>> One of the other people who responded to my original message >>> indicated that in version 5.5.2 of PHP, a new initialization >>> thing was added, session.use_strict_mode >>> This will ignore the session ID in a URL, if the specified >>> session-file does not exist. Instead, a new session file >>> and ID will be created. >> >> Great, fine, lovely, except that it only has one effect: it prevents >> "bad guy" from choosing the name of his session. He will still be >> able to create an empty session by specifying a non-existent session >> ID when he makes the request. I really [WINDOWS-1252?]don’t see what >> use_strict_mode gives you for the situation you described. >> >> -Stuart > > Well, it makes no sense for the bad guy to send a "desired" session > ID to the server if it will always be ignored. That is, he might > as well just go along with the normal usage that everyone else > does, to get a session ID. It seems to me that that qualifies as > a first step in not letting the bad guy get what he wants. But you still haven't answered the question. What does "bad guy" get from having his "desired" session ID used instead of one that's randomly assigned? Where's the benefit for him? Any "bad guy" worth the name would know this doesn't give him anything, so he won't bother. Why do you think he'd bother? -Stuart -- Stuart Dallas 3ft9 Ltd http://3ft9.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php