ID: 42804 Updated by: [EMAIL PROTECTED] Reported By: mpub at meiners-online dot de -Status: Open +Status: Bogus Bug Type: Session related Operating System: Linux PHP Version: 5.2.4 New Comment:
That's one more reason NOT to use trans-sid stuff. If you want total control, don't use it. (using cookies is much better anyway..please refer to the manual http://php.net/session for more info) Previous Comments: ------------------------------------------------------------------------ [2007-09-30 22:05:34] mpub at meiners-online dot de Description: ------------ If I set session.use_trans_sid to 1 and form=xxx is included in url_rewriter.tags, a hidden input field with the session-ID is added to every form. It seems to me that the output handler doesn't care if the action-attribute of the form is an absolute URL as it does when rewriting URLs. So, the session-ID is sent to foreign sites. Reproduce code: --------------- ini_set('session.use_trans_sid', '1'); ini_set('url_rewriter.tags', 'a=href,area=href,frame=src,input=src,form=action,fieldset='); ... if (strlen(session_id()) < 1) session_start(); ... ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=42804&edit=1