[dev] Re: [cvs] commit: horde login.php imp redirect.php

Chuck Hagenbuch chuck at horde.org
Sat Feb 8 23:19:51 PST 2003


Quoting Jon Parise <jon at horde.org>:

> I think it deserves a block comment explaining the reasoning behind
> re-creating the session.  The logic itself looks sound, although I
> haven't tested it myself.

Actually, looking at this, I think we need one more step: we need to force a
new session ID. We can do this with session_id($value), but setting $value
isn't a minor thing, so I wanted to bring this up here.

For now, I've added Horde::getCleanSession(), with this last step commented
out until we agree on how to generate new session_ids().

For now, I'd suggest:

$new_session_id = md5(uniqid(mt_rand(), true));

I know uniqid is slow, but this is a login-only thing, and it's important to
really get a unique value here. If someone has an argument that uniqid()
isn't needed, I'm happy to hear that, too.

-chuck

--
Charles Hagenbuch, <chuck at horde.org>
must ... find ... acorns ... *thud*


More information about the dev mailing list