On Fri, Apr 4, 2008 at 2:57 PM, Thiago Pojda
<[EMAIL PROTECTED]> wrote:
>> De: Daniel Brown [mailto:[EMAIL PROTECTED]
>>
>> <?php
>> echo
>> "http://www.domain.com/script.php?".session_name()."=".session_id();
>> ?>
>
> I think it was supposed to add those stuff automagically...?
>
> Not quite sure I understood. I found litle doc on that setting, most results
> are people telling to not use it :)
Probably because of the fear of session hijacking and spoofing.
The thing is, a handwritten cookie is just as effective for that, by
changing the PHPSESSID (or equivalent). In any case, a 32-byte
hexadecimal hash should be sufficient security for most sessions.
--
</Daniel P. Brown>
Ask me about:
Dedicated servers starting @ $59.99/mo., VPS starting @ $19.99/mo.,
and shared hosting starting @ $2.50/mo.
Unmanaged, managed, and fully-managed!
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
