For example, consider that a legitimate user clicks a link and goes to this URL:
http://www.example.org/foo.php?PHPSESSID=12345
Perhaps the user has cookies disabled, so PHP appends the session identifier to the URL, or perhaps the developer does it automatically. Either way, what if a bad guy visits this URL:
http://www.example.org/foo.php?PHPSESSID=12345
Called session fixation. Here's good paper on this and how to deal with it.
http://www.acros.si/papers/session_fixation.pdf
The session_regenerate_id() function can come in handy here.
-- ---John Holmes...
Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/
php|architect: The Magazine for PHP Professionals – www.phparch.com
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
