Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:15662
Return-Path: <phpdev@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 47284 invoked by uid 1010); 29 Mar 2005 19:16:18 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 47269 invoked from network); 29 Mar 2005 19:16:18 -0000
Received: from unknown (HELO daun.co.kr) (127.0.0.1)
  by localhost with SMTP; 29 Mar 2005 19:16:18 -0000
X-Host-Fingerprint: 64.233.184.194 wproxy.gmail.com Linux 2.4/2.6
Received: from ([64.233.184.194:41643] helo=wproxy.gmail.com)
	by pb1.pair.com (ecelerity HEAD r(5268)) with SMTP
	id 3B/46-16973-089A9424 for <internals@lists.php.net>; Tue, 29 Mar 2005 14:16:16 -0500
Received: by wproxy.gmail.com with SMTP id 37so674257wra
	for <internals@lists.php.net>; Tue, 29 Mar 2005 11:16:13 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
	s=beta; d=gmail.com;
	h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references;
	b=cZFFAVi/Cbt+4xEamHOlNeHmR+ig8OnI/BVsCSpPcMmyNqzbfqqNx3uctllLYJdsUsNA7YocPnfw5FjD/4kNoGavM6Bzmewhv+Ip+//2wfw1qlipekXC7zU0HPV//vTgmeZR/NG53FfjxeegoWni5MwBhhL2qsFZ8FQ7DVW3zNQ=
Received: by 10.54.63.4 with SMTP id l4mr1220527wra;
	Tue, 29 Mar 2005 11:16:12 -0800 (PST)
Received: by 10.54.28.21 with HTTP; Tue, 29 Mar 2005 11:16:11 -0800 (PST)
Message-ID: <90e24d4e0503291116a5bde6a@mail.gmail.com>
Date: Tue, 29 Mar 2005 11:16:11 -0800
Reply-To: Jeremy Johnstone <phpdev@gmail.com>
To: Hans L <hans@velum.net>
Cc: PHP internals <internals@lists.php.net>
In-Reply-To: <424994B1.3000600@velum.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
References: <424994B1.3000600@velum.net>
Subject: Re: [PHP-DEV] why does PHP accept [new] session ids from client?
From: phpdev@gmail.com (Jeremy Johnstone)

Not to be rude or anything, but this question is better suited for php-general

-Jeremy


On Tue, 29 Mar 2005 12:47:29 -0500, Hans L <hans@velum.net> wrote:
> Hi,
> 
> This may not be the right place for this question, but what I'm looking
> to understand is the reasoning behind what seems to be the standard
> session behavior in PHP.  And, if it's possible, how to change this
> behavior (via INI settings, etc.).
> 
> As I understand (and experience) it, if a client [browser] presents a
> session id (e.g. in a cookie) to the server, then PHP will attempt to
> match that ID to the session on the system.  If found, that session
> information will be made available to the scripts.  Fine.  But, if *not
> found* then a new session will be created with the specified ID.
> 
> Is there any way to disable this behavior?  I can't think of a single
> circumstance under which this would be the desired behavior, but my use
> of sessions has been more limited to authentication & web applications.
>   I know about using session_regenerate_id() after authentication, to
> prevent fixation, but it seems like this is a workaround for a more
> fundamental problem in PHP session behavior.
> 
> On a side note, does anyone know if Hardened-PHP exhibits the same behavior?
> 
> Thanks,
> Hans
> 
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
> 
> 


-- 
---------------------------
Jeremy Johnstone
http://www.jeremyjohnstone.com
jsjohnst@php.net