php4rc1

The following script creates a session containing "ses_sToto="session OK".
Load it with your browser.
Verify that the session is created by reloading the page.
Destroy the session and verify that the session no longer exists in /tmp.
Refresh the page in your browser: a new session is created, but it has the same SID !

As the cookie still exists in the browser, the browser sends it to the script, and PHP, create the session, with the given SID.

Php should generate a new SID if the SID given by the browser does not exist.

The problem is that with a login/passwd registering function, a session can be restarted by pushing the 'back' button in the browser.

<?php
 session_start();
 session_register("ses_sToto");

 print("session_id()=".session_id());
 if ($ses_sToto=="")
  $ses_sToto="session OK";
?>

./configure  --with-mysql --with-apache=../apache_1.3.12 --enable-track-vars