> The general philosophy of PHP has always been to make PHP easy for the > beginner yet flexible enough for advanced users. This fits that rule. > Give the advanced users the tools to configure PHP to have per-virtualhost > session handling, while sessions still work for the guy who just installed > PHP on his own little server and really doesn't know what he is doing.
That is fine for a philosophy. I would still like to try to make the default setup more secure. I agree, the least we can do is to document this. How about that we use the SERVER_NAME environment variable when generating session filenames? Instead of name like sess_XXXX, the name could be sess_YYYY_XXXX, where YYYY is a server fingerprint? I understand that this is not foolproof (say, for applications that run on the same domain name) but it will solve the most serious cases (shared hosting solutions). -- Ivan Ristic, [EMAIL PROTECTED] [ Weblog on PHP, Software development, Intranets, and Knowledge Management: http://www.webkreator.com ] -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]