Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:15702
Return-Path: <zeev@zend.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 62995 invoked by uid 1010); 31 Mar 2005 17:24:45 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 62980 invoked from network); 31 Mar 2005 17:24:45 -0000
Received: from unknown (HELO pb1.pair.com) (127.0.0.1)
  by localhost with SMTP; 31 Mar 2005 17:24:45 -0000
X-Host-Fingerprint: 80.74.107.235 mail.zend.com Linux 2.5 (sometimes 2.4) (4)
Received: from ([80.74.107.235:60359] helo=mail.zend.com)
	by pb1.pair.com (ecelerity HEAD r(5268)) with SMTP
	id 05/4F-22409-B523C424 for <internals@lists.php.net>; Thu, 31 Mar 2005 12:24:44 -0500
Received: (qmail 11459 invoked from network); 31 Mar 2005 17:24:41 -0000
Received: from localhost (HELO zeev-notebook.zend.com) (127.0.0.1)
	by localhost with SMTP; 31 Mar 2005 17:24:41 -0000
Message-ID: <5.1.0.14.2.20050331192156.06ec0a90@localhost>
X-Sender: zeev@localhost
X-Mailer: QUALCOMM Windows Eudora Version 5.1
Date: Thu, 31 Mar 2005 19:24:46 +0200
To: Hans L <hans@velum.net>
Cc: PHP internals <internals@lists.php.net>
In-Reply-To: <424994B1.3000600@velum.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Subject: Re: [PHP-DEV] why does PHP accept [new] session ids from
	client?
From: zeev@zend.com (Zeev Suraski)
References: <424994B1.3000600@velum.net>

At 19:47 29/03/2005, Hans L wrote:
>Hi,
>
>This may not be the right place for this question, but what I'm looking to 
>understand is the reasoning behind what seems to be the standard session 
>behavior in PHP.  And, if it's possible, how to change this behavior (via 
>INI settings, etc.).
>
>As I understand (and experience) it, if a client [browser] presents a 
>session id (e.g. in a cookie) to the server, then PHP will attempt to 
>match that ID to the session on the system.  If found, that session 
>information will be made available to the scripts.  Fine.  But, if *not 
>found* then a new session will be created with the specified ID.
>
>Is there any way to disable this behavior?  I can't think of a single 
>circumstance under which this would be the desired behavior, but my use of 
>sessions has been more limited to authentication & web applications.

I actually came across one situation where I took advantage of this feature 
and relied on it in an application.  It had to do with replicating parts of 
a session across a cluster of servers (also for use in authentication).

Zeev