PHP allows a client to specify what its SID will be by passing a Cookie, GET, or POST variable to a script, with the same session name as the script uses.

An example script:

<?
session_name('id');
session_start();
print 'In ' . phpversion() . ', your session ID is: ' . session_id();
?>

If the above script is accessed via http://www.example.com/test.php?id=blehbleh

This will print "In 4.0.x, your session ID is: blehbleh"

(Tested in php 4.0.4pl1 & 4.0.6)

After discussions with several people, we were unable to find any reason why the client should be able to specify what its SID should be, unless a session with that SID has been started.

IMHO, If a session with the provided SID has not been started, the server should generate an ID and give it to the client, instead of the accepting the client specified SID.

A workaround is to add the following code:

srand ((double) microtime() * 1000000);
$new_id = md5(rand());
session_id($new_id);
	

...after session_name() and before session_start(), on a page that will re initialiase/destroy a session, such as a login or logout page.

With this workaround (and/or a fix) it is possible to create login scripts which are more secure.   ie  a script that does not send plain text passwords, and does not transmit the same encrypted details on consecutive logins.

Although I have provided a workaround, i thought it should be mentioned, (or fixed within the codebase itsself)

Please excuse me if I am missing something, and this is actually a feature.

Regards,

Max Holman

PS: I will be releasing a script to demonstrate the (more) secure login, if you are interested, please email me (note that it requires Javascript on the client side)