Hi,
This may not be the right place for this question, but what I'm looking to understand is the reasoning behind what seems to be the standard session behavior in PHP. And, if it's possible, how to change this behavior (via INI settings, etc.).
As I understand (and experience) it, if a client [browser] presents a session id (e.g. in a cookie) to the server, then PHP will attempt to match that ID to the session on the system. If found, that session information will be made available to the scripts. Fine. But, if *not found* then a new session will be created with the specified ID.
Is there any way to disable this behavior? I can't think of a single circumstance under which this would be the desired behavior, but my use of sessions has been more limited to authentication & web applications. I know about using session_regenerate_id() after authentication, to prevent fixation, but it seems like this is a workaround for a more fundamental problem in PHP session behavior.
On a side note, does anyone know if Hardened-PHP exhibits the same behavior?
Thanks, Hans
-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
