Hi! >> About, since session_id() is a user function, what do we gain by >> limiting what it does? > > Prefix is a part of session ID and it should have the same requirement > as session ID for security reasons.
I'm not sure why you're talking about prefix. I thought that the issue was that user can supply session_id() with the ID that is not good for some reason and you want to filter it on session_id level. Am I wrong? > There is SessionHandler::create_sid(), but there isn't a function that > creates secure session ID. Why not? The ID created now is not secure? Why? I see it uses php_session_create_id(), do you mean this function is insecure too? Why? In any case, if you think it is insecure, why not fix it? -- Stas Malyshev smalys...@gmail.com -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
