There is a flagrant bug there that allows anyone to chose a session ID of his choice, instead of relying on the random device.
I think this breaks some POSIX-MIT-RFC somewhere and can be the cause of easy exploits. I would then say hat for a bugfix release it should be reasonabe to fix it,. I am not saying that user choice of the unpredictable session-id couldn't be a valid method in some cases, as well as other method as suggested, but this the programmer must decide when and where. If you are talking about usecurity of trans_sid, then letting anyone decide it by an url, is even worse. Giancarlo Zeev Suraski wrote: > > - Transparent sid support is now disabled by default. (Yasuo) > > I haven't followed the trans-sid discussion closely, but did we decide to > change the behavior within a bug-fix release?? > > Zeev -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php
