ID: 8184 Updated by: sniper Reported By: [EMAIL PROTECTED] Old-Status: Feedback Status: Closed Bug Type: *Session related Assigned To: Comments: No feedback. --Jani Previous Comments: --------------------------------------------------------------------------- [2000-12-11 05:29:14] [EMAIL PROTECTED] I don't understand something here. Do you really want the session to be destroyed on each page call? What's the point in such a "session" anyway then? Could you please explain? --------------------------------------------------------------------------- [2000-12-09 12:34:17] [EMAIL PROTECTED] Hi! A part of my php.ini looks like this: session.gc_probability = 100 session.gc_maxlifetime = 0 session.cache_limiter = nocache session.use_cookies = 0 session.auto_start = 0 session.use_trans_sid = 1 session.cookie_lifetime = 0 The situation: the client cuts the URL of the actual page to the clipboard (the URL contains the session-id) and close the browser. The session file becomes garbage and it will be collected at the next session call - I thought. However, when the client opens the browser and pastes the URL into the address line - and there isn't any other session call from another client - PHP lets him in. If the URL does not contain the session-id everything works fine: the garbage collector collects all of the garbage. Summary: if the session_start() gets session-id by GET parameter or by a cookie, it doesn't check whether the session file is garbage or not. I think it's a minor security bug. Thanks Zoltan Eles --------------------------------------------------------------------------- Full Bug description available at: http://bugs.php.net/?id=8184 -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
