scott wrote:
hi
I'm running PHP 4.2.3 as module with Apache 1.3.26 on OpenBSD 3.2 with the
chroot turned off (as it stopped the php_mail() funtion working, but if
anyone has the fix for that I will re-implement the jail again :o)
I'm having some problems with sessions. I am not using cookies, as many
people don't allow them to be set
The main page starts a session, takes username and password, and if they are
ok, it registers the users id from the db as a session variable using the
$_SESSION['user_id'] = $user_id
it then does a header redirect to another page, which at the moment for
testing just displays the SID and all $_SESSION[vars]
as the SID is being passed in the url, I am able to copy the http://url?SID
from the browser window
if I close the browser (which from reading the docs on sessions should end
the session) and then re-open another browser (admittedly on the same
machine/ip address) and post the http://url?SID back in, I get the page, and
the $SESSION[vars] are still there !!
it is reading them back out of the files in /tmp (if I edit these directly
and paste the url?SID in, I get the new values I mannually put in !)
:o( is there a official/approved method to prevent this from being done ?
thankyou
_scott
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
