"why is it this way" should also be posted to the general newsgroup, it barely has anything to do with internals
The behavior of the session extension has everything to do with internals. I'm not sure why everyone is sending him to php-general. No one there is going to be able to change this behavior. They can only suggest userland code to try to work around it.
The problem is that PHP uses any user-supplied session identifier when creating a new session. This increases the risk of session fixation.
If this behavior were changed, it would not completely protect developers from session fixation, but it would be a step in the right direction. I think the original poster was making this suggestion.
Chris
-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
