Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:15661
Return-Path: <hans@velum.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 37764 invoked by uid 1010); 29 Mar 2005 17:49:41 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 37745 invoked from network); 29 Mar 2005 17:49:41 -0000
Received: from unknown (HELO velum.net) (127.0.0.1)
  by localhost with SMTP; 29 Mar 2005 17:49:41 -0000
X-Host-Fingerprint: 66.33.198.201 jareth.dreamhost.com Linux 2.4/2.6
Received: from ([66.33.198.201:51013] helo=jareth.dreamhost.com)
	by pb1.pair.com (ecelerity HEAD r(5268)) with SMTP
	id EA/CC-16973-43599424 for <internals@lists.php.net>; Tue, 29 Mar 2005 12:49:40 -0500
Received: from [127.0.0.1] (out.appliedsec.com [69.17.56.162])
	by jareth.dreamhost.com (Postfix) with ESMTP id A63A26B5F9
	for <internals@lists.php.net>; Tue, 29 Mar 2005 09:49:35 -0800 (PST)
Message-ID: <424994B1.3000600@velum.net>
Date: Tue, 29 Mar 2005 12:47:29 -0500
User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: PHP internals <internals@lists.php.net>
X-Enigmail-Version: 0.89.5.0
X-Enigmail-Supports: pgp-inline, pgp-mime
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: why does PHP accept [new] session ids from client?
From: hans@velum.net (Hans L)

Hi,

This may not be the right place for this question, but what I'm looking 
to understand is the reasoning behind what seems to be the standard 
session behavior in PHP.  And, if it's possible, how to change this 
behavior (via INI settings, etc.).

As I understand (and experience) it, if a client [browser] presents a 
session id (e.g. in a cookie) to the server, then PHP will attempt to 
match that ID to the session on the system.  If found, that session 
information will be made available to the scripts.  Fine.  But, if *not 
found* then a new session will be created with the specified ID.

Is there any way to disable this behavior?  I can't think of a single 
circumstance under which this would be the desired behavior, but my use 
of sessions has been more limited to authentication & web applications. 
  I know about using session_regenerate_id() after authentication, to 
prevent fixation, but it seems like this is a workaround for a more 
fundamental problem in PHP session behavior.

On a side note, does anyone know if Hardened-PHP exhibits the same behavior?

Thanks,
Hans