Hi Zeev,
Zeev Suraski wrote:
At 19:47 29/03/2005, Hans L wrote:
Hi,
This may not be the right place for this question, but what I'm looking to understand is the reasoning behind what seems to be the standard session behavior in PHP. And, if it's possible, how to change this behavior (via INI settings, etc.).
As I understand (and experience) it, if a client [browser] presents a session id (e.g. in a cookie) to the server, then PHP will attempt to match that ID to the session on the system. If found, that session information will be made available to the scripts. Fine. But, if *not found* then a new session will be created with the specified ID.
Is there any way to disable this behavior? I can't think of a single circumstance under which this would be the desired behavior, but my use of sessions has been more limited to authentication & web applications.
I actually came across one situation where I took advantage of this feature and relied on it in an application. It had to do with replicating parts of a session across a cluster of servers (also for use in authentication).
Thanks for the response.
Ok, that makes sense. It seems to be quite a security threat for the common case of session use, though. I wonder if this could be a behavior controlled by a php.ini setting in the future? I guess what I originally wanted to ask in my thread is whether there is a well-known reason for the current behavior or whether I could submit a feature request that this be changed for upcoming PHP releases. I think *many* applications out there would immediately become more secure if session fixation were not impossible.
Cheers, Hans
-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
