Hi, While I was testing strict session, I noticed that there is a problem in current session module behavior.
>From the manual ---- session.use_cookies specifies whether the module will use cookies to store the session id on the client side. Defaults to 1 (enabled). session.use_only_cookies specifies whether the module will only use cookies to store the session id on the client side. Enabling this setting prevents attacks involved passing session ids in URLs. This setting was added in PHP 4.3.0. Defaults to 1 (enabled) since PHP 5.3.0. ---- When "session.use_only_cookie=off", "session.use_trans_sid=on" should be effective. However, to make "session.use_trans_sid=on" effective, PHP 5.4 (maybe 5.3, too) requires "session.use_cookie=off". This behavior makes "session.use_only_cookie" setting useless. Since cookie is mandatory for secure web applications, this behavior is not good for applications that need both cookie and URL based session, too. There are many mobile devices that do not support cookie still, so I would like to fix this issue. Is there any comment? -- Yasuo Ohgaki yohg...@ohgaki.net -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
