On Fri, 28 Apr 2006 10:38:36 +0200 Sebastian Mendel <lists@sebastianmendel.de> wrote:
Michal Čihař schrieb:
On Thu, 27 Apr 2006 15:29:31 +0200 Sebastian Mendel <lists@sebastianmendel.de> wrote:
Michal Čihař schrieb:
On Thu, 27 Apr 2006 15:18:34 +0200 Sebastian Mendel <lists@sebastianmendel.de> wrote:
for security reasons we decided to not support url session ids What's problem with that? session fixation and hijacking?
Hmmm, what is better? This or XSRF or cookie requirement. Looks like we have to make choice.
whether url sid is allowed or not is set in session.inc.php
IMHO it is allowed there: // but not all user allow cookies ini_set('session.use_only_cookies', false); ini_set('session.use_trans_sid', true); Or am I missing some other ini option that disables it completely? -- Michal Čihař | http://cihar.com | http://blog.cihar.com