What are the benefits of trusting any id provided by the user, when creating a new session? Why should we allow users to create their own session id, and maybe pass them around? Or being driven to some session faked/created by someone else?
Can we control that a new session id has been effectively issued by us, and only create new session id that we have generated? Gian -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
