--- Christian Schneider <[EMAIL PROTECTED]> wrote: > I decided to say "If X knows the session ID of User A then he _is_ A".
This isn't a good approach, but you can bring this up on php-general to discuss why. I'm sure plenty of people will be happy to discuss it. > (Side note: I use my own random/MD5-based session IDs which should be > hard to guess). Do you think it's better than the existing session ID generation code? I always trust the level of entropy provided by the native mechanism. If you think you have a better solution, maybe you can submit a patch... Chris ===== Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming Fall 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php