Re: [Phplib-users] new session creation policy is trust user input ?
Brought to you by:
nhruby,
richardarcher
Menu
▾
▴
Re: [Phplib-users] new session creation policy is trust user input ?
|
From: Peter K. <su...@si...> - 2002-06-01 08:05:56
|
Hallo Gian,
> Can we control that a new session id has been effectively issued by us,
> and only create new session id that we have generated?
I included in my session.inc ( as of $Id: session.inc,v 1.7 2001/07/09 15:33:29) the following code
in function get_id after the first if ( "" == $id ) { ... }:
---- snip ----
if($id != "") { # somehow an id was provided by the user
if($this->that->ac_get_value($id, $this->name) == "") {
# no - the id doesn't exist in the database: Ignore it!
$id = "";
}
}
---- snip ----
in the next if ( "" == $id ) the programm then generates a new id.
Disclaimer: I am not sure if this behaviour is safe and I do not know if subsequent versions of phplib
have taken care of this problem.
Peter Kursawe
|
