Hello, The PHP manual says it is the developer's job to ensure PHP sessions cannot be stolen or "fixed" (this is called Session Fixation).
To minimise the risk of session fixation, I wrote a patch for PHP-4.3.5 (I can port it for the other versions too - just ask...), that makes (almost) sure the current user IS the session creator. It is based on client IP addresses. This patch is available at: http://www.trickytools.com/php/sesfixpatch.php If you think this could be useful, it could be improved and someday be part of the official distro. Jerome Delamarche -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
