This patch is instead of my previous one.
Now I use to check if the sessio exists.
It passed my tests.
The creation of a new session is now dependent on a
block_bogus_sid = true
You ca always have it work as before by subclassing
session in local.inc, and I suggest to use this
subclas only in places you ca control it..
This was a gravious hole in PHPLIB, and PHP btw: let
people force 'get' mode and create whatever session
they like is a great security risk, a malware.
Log in to post a comment.