> Rasmus Lerdorf wrote: > > No, I think the check we need here is one that checks to see if the > > session specified in the user-supplied PHPSESSID exists. If it does not > > exist, toss that session id and replace it with a PHP-generated one. > > > > Perhaps Sascha has some thoughts on these two session-related things I'd > > like to see changed/fixed? The second one being the implementation of > > session_readonly() and the accompanying control of whether the gc uses > > atime or mtime to gc sessions. > > Ok.You are talking about more preventing user from accessing the > same session ID always. That's one of my worry, too.
Well, more worrisome would be if a bad guy tricks you into clicking on a link or simply sends you an image in an email that makes a request to my server with a valid-looking session id. Then if you go to this site (that you haven't visited before) the session id provided by the bad guy will be your active session id. You log in, provide some info and the bad guy can come right in behind you since he now knows which session id you are using. -Rasmus -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php
