Seth Carter - 2010-07-24 15:08:48
There's a problem with the RegenerateID method - The version_compare() check to allow the passing of the optional paramter for session_regenerate_id() is reversed:
version_compare('5.1.0', phpversion(), '>=')
Means that only users of version 5.1.0 can use session_regenerate_id(true) - E.g. if you're running 5.1.1 the statement will evaluate as false as 5.1.0 is NOT greater than or equal to 5.1.1, see http://www.php.net/version_compare
The statement should be written as:
version_compare(phpversion(), "5.1.0", ">=")
I have fixed this bug and added session lifetime and destroys methods in my own version of this class available at http://www.phpclasses.org/package/5947-PHP-Prevent-session-hijacking-and-fixation-attacks.html
Vagharshak Tozalakyan - 2010-07-24 15:48:58 - In reply to message 1 from Seth Carter
