Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:15664 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 64345 invoked by uid 1010); 29 Mar 2005 19:38:49 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 64328 invoked by uid 1007); 29 Mar 2005 19:38:49 -0000 Message-ID: <20050329193848.64327.qmail@lists.php.net> To: internals@lists.php.net Date: Tue, 29 Mar 2005 21:39:09 +0200 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050106 X-Accept-Language: en-us, en MIME-Version: 1.0 References: <424994B1.3000600@velum.net> <90e24d4e0503291116a5bde6a@mail.gmail.com> <4249ADAC.8000900@velum.net> In-Reply-To: <4249ADAC.8000900@velum.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Posted-By: 62.131.2.67 Subject: Re: [PHP-DEV] why does PHP accept [new] session ids from client? From: tularis@php.net ("M. Sokolewicz") "why is it this way" should also be posted to the general newsgroup, it barely has anything to do with internals - tul Hans L wrote: > Ok, I'll post it there. I thought that it was more a question of "why > is it this way?" than "how do I do XXXX?". > > Thanks, > Hans > > Jeremy Johnstone wrote: > >> Not to be rude or anything, but this question is better suited for >> php-general >> >> -Jeremy >> >> >> On Tue, 29 Mar 2005 12:47:29 -0500, Hans L wrote: >> >>> Hi, >>> >>> This may not be the right place for this question, but what I'm looking >>> to understand is the reasoning behind what seems to be the standard >>> session behavior in PHP. And, if it's possible, how to change this >>> behavior (via INI settings, etc.). >>> >>> As I understand (and experience) it, if a client [browser] presents a >>> session id (e.g. in a cookie) to the server, then PHP will attempt to >>> match that ID to the session on the system. If found, that session >>> information will be made available to the scripts. Fine. But, if *not >>> found* then a new session will be created with the specified ID. >>> >>> Is there any way to disable this behavior? I can't think of a single >>> circumstance under which this would be the desired behavior, but my use >>> of sessions has been more limited to authentication & web applications. >>> I know about using session_regenerate_id() after authentication, to >>> prevent fixation, but it seems like this is a workaround for a more >>> fundamental problem in PHP session behavior. >>> >>> On a side note, does anyone know if Hardened-PHP exhibits the same >>> behavior? >>> >>> Thanks, >>> Hans >>> >>> -- >>> PHP Internals - PHP Runtime Development Mailing List >>> To unsubscribe, visit: http://www.php.net/unsub.php >>> >>> >> >> >>