From: glattfahrservice at web dot de Operating system: Windows XP Professional PHP version: 4.3.4 PHP Bug Type: Session related Bug description: Random SESSION-ID given in URL is accepted for the session
Description: ------------ Normally PHP is using some clever algorithms to provide for safe and unique SESSION-IDs. However, when a simple session-id is passed to the script in which session_start() is called, a session with the given ID is generated. e.g.: www.test.com/index.php&PHPSESSID=blabla should not be accepted and a new SESSION-ID should be generated for the session. BUT: this session-ID (blabla) is obviously valid and not rejected. Functionality is not impaired, but right now a visitor is able to "choose" his own session-id. Not very safe, right? I have disabled cookies and turned off trans-sid. Ciao, Dan. -- Edit bug report at http://bugs.php.net/?id=26119&edit=1 -- Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=26119&r=trysnapshot4 Try a CVS snapshot (php5): http://bugs.php.net/fix.php?id=26119&r=trysnapshot5 Fixed in CVS: http://bugs.php.net/fix.php?id=26119&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=26119&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=26119&r=needtrace Try newer version: http://bugs.php.net/fix.php?id=26119&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=26119&r=support Expected behavior: http://bugs.php.net/fix.php?id=26119&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=26119&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=26119&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=26119&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=26119&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=26119&r=dst IIS Stability: http://bugs.php.net/fix.php?id=26119&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=26119&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=26119&r=float