Why can a user force php to create a session he's giving the name in the URL? Do you want me to list an half a dozen ways to get rich now with this holes? Does anyone understand the malice of this? Anyone can offer you a click on a session he's going to visit later and hijack from you? Anyone can post data in a black hole of his own and pass it around secretly? Anyone can place precise strings in a precise file location on a server? How is it that a user can force to have any session string, passed in the URL, being created, even when cookies are fully funcional and enabled? Is it possible that there is no policy on creating a new session? There so much fuzz about register_globals, and we let the user create the sessions they want? Shouldn't we check that's us who issued the ticket?
How is it that I cannot find a decent reply to these questions? Giancarlo -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php