No, I think the check we need here is one that checks to see if the session specified in the user-supplied PHPSESSID exists. If it does not exist, toss that session id and replace it with a PHP-generated one.
Perhaps Sascha has some thoughts on these two session-related things I'd like to see changed/fixed? The second one being the implementation of session_readonly() and the accompanying control of whether the gc uses atime or mtime to gc sessions. -Rasmus On Mon, 19 Aug 2002, Yasuo Ohgaki wrote: > Rasmus Lerdorf wrote: > > Ok, then that is a bug that needs to be fixed before 4.3. > > This is one of the current session module behavior that I worry. > We need at least strlen. (and char range check) > > I check them both in my save handler. (Not published session_pgsql, > but my private session save handler) > > -- > Yasuo Ohgaki > > > -- > PHP Development Mailing List <http://www.php.net/> > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php
