Can I tell you more than what the subject says? proceeding: Close the browser, clean all your cookies, and open any page with that ?PHPSESSID=spoofme appended. And see what happens.
1) No cookies are left 2) a session 'spoofme' is created Do you need more? Javascript url injection ad cross site scripting become obsolete with this 'feature'. PLS! I mean, as the zend site doesn't quite work like this (do the same test proceeding as described above...) Their session to append to your cookie-enabled browser location are Zend_Session_DB=whatever and Zend_Session_DB_SECURE=whatever2 on their login page. I don't know if this is related to the free downloadable version, and the one they sell and adopt is more 'fortified'... they should clearly state it then! Gian -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
