--- Christian Schneider <[EMAIL PROTECTED]> wrote:
> I decided to say "If X knows the session ID of User A then he _is_ A".

This isn't a good approach, but you can bring this up on php-general to
discuss why. I'm sure plenty of people will be happy to discuss it.

> (Side note: I use my own random/MD5-based session IDs which should be 
> hard to guess).

Do you think it's better than the existing session ID generation code? I
always trust the level of entropy provided by the native mechanism. If you
think you have a better solution, maybe you can submit a patch...

Chris

=====
Chris Shiflett - http://shiflett.org/

PHP Security - O'Reilly
     Coming Fall 2004
HTTP Developer's Handbook - Sams
     http://httphandbook.org/
PHP Community Site
     http://phpcommunity.org/

-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to