On Tue, 26 Apr 2005, Hans Lellelid wrote:
I see your point, but I would still argue that being able to create an arbitrary, non-server-supplied session id is far more powerful -- primarly because it is not susceptible to session garbage collection on the server (i.e. the valid session id I get from the site will be invalid in gc_maxlifetime).
So what you want are cookies?
Well, no that doesn't address the problem, although certainly setting cookies_only makes it practically a bit harder (can't just paste in a simple URL with fixated session for someone to click). But the real problem (IMO) is the idea of a client making its own decision about what a session id should be. -- and of course sending an invalid session_id as a cookie is trivial.
-H
-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
