Hi,
Sorry, perhaps this is just a vocabulary misunderstanding on my part. I thought "fixation" was explicitly providing the user with a fake but known session id (e.g. '1'), whereas "hijacking" is taking a valid id from another user.
yeah... Well you call it fake session id. But that is not exactly what session fixation means. It means you give the user a session ID he will ride with (and do not steal it from him).
But it makes no difference if you give him a completely fake one or if you visit the site once yourself and then use the session ID you got for the fixation.
Stefan
-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
