> That is fine for a philosophy. I would still like to try to make > the default setup more secure. I agree, the least we can do is to > document this. > > How about that we use the SERVER_NAME environment variable when > generating session filenames? Instead of name like sess_XXXX, the name > could be sess_YYYY_XXXX, where YYYY is a server fingerprint? I > understand that this is not foolproof (say, for applications > that run on the same domain name) but it will solve the most > serious cases (shared hosting solutions).
I really do think that someone setting up shared hosting should be clueful enough to configure things themselves or they probably shouldn't be in the business. -Rasmus -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
