Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:15663
Return-Path: <hans@velum.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 62477 invoked by uid 1010); 29 Mar 2005 19:36:12 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 62462 invoked from network); 29 Mar 2005 19:36:11 -0000
Received: from unknown (HELO pb1.pair.com) (127.0.0.1)
  by localhost with SMTP; 29 Mar 2005 19:36:11 -0000
X-Host-Fingerprint: 66.33.198.201 jareth.dreamhost.com Linux 2.4/2.6
Received: from ([66.33.198.201:60919] helo=jareth.dreamhost.com)
	by pb1.pair.com (ecelerity HEAD r(5268)) with SMTP
	id E2/D6-16973-B2EA9424 for <internals@lists.php.net>; Tue, 29 Mar 2005 14:36:11 -0500
Received: from [127.0.0.1] (out.appliedsec.com [69.17.56.162])
	by jareth.dreamhost.com (Postfix) with ESMTP
	id A247A6B606; Tue, 29 Mar 2005 11:36:07 -0800 (PST)
Message-ID: <4249ADAC.8000900@velum.net>
Date: Tue, 29 Mar 2005 14:34:04 -0500
User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Jeremy Johnstone <phpdev@gmail.com>
Cc: PHP internals <internals@lists.php.net>
References: <424994B1.3000600@velum.net> <90e24d4e0503291116a5bde6a@mail.gmail.com>
In-Reply-To: <90e24d4e0503291116a5bde6a@mail.gmail.com>
X-Enigmail-Version: 0.89.5.0
X-Enigmail-Supports: pgp-inline, pgp-mime
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] why does PHP accept [new] session ids from client?
From: hans@velum.net (Hans L)

Ok, I'll post it there.  I thought that it was more a question of "why 
is it this way?" than "how do I do XXXX?".

Thanks,
Hans

Jeremy Johnstone wrote:
> Not to be rude or anything, but this question is better suited for php-general
> 
> -Jeremy
> 
> 
> On Tue, 29 Mar 2005 12:47:29 -0500, Hans L <hans@velum.net> wrote:
> 
>>Hi,
>>
>>This may not be the right place for this question, but what I'm looking
>>to understand is the reasoning behind what seems to be the standard
>>session behavior in PHP.  And, if it's possible, how to change this
>>behavior (via INI settings, etc.).
>>
>>As I understand (and experience) it, if a client [browser] presents a
>>session id (e.g. in a cookie) to the server, then PHP will attempt to
>>match that ID to the session on the system.  If found, that session
>>information will be made available to the scripts.  Fine.  But, if *not
>>found* then a new session will be created with the specified ID.
>>
>>Is there any way to disable this behavior?  I can't think of a single
>>circumstance under which this would be the desired behavior, but my use
>>of sessions has been more limited to authentication & web applications.
>>  I know about using session_regenerate_id() after authentication, to
>>prevent fixation, but it seems like this is a workaround for a more
>>fundamental problem in PHP session behavior.
>>
>>On a side note, does anyone know if Hardened-PHP exhibits the same behavior?
>>
>>Thanks,
>>Hans
>>
>>--
>>PHP Internals - PHP Runtime Development Mailing List
>>To unsubscribe, visit: http://www.php.net/unsub.php
>>
>>
> 
> 
>