On 8/11/05, David Mintz <dmintz at davidmintz.org> wrote: > On Thu, 11 Aug 2005, Brian O'Connor wrote: > > > So what you're saying is if I see a "?PHPSESSID=xxxxxxxxxxxx" in the URL of > > my site, than it is vulnerable? > > Yeah. Not to mention that if someone bookmarks the page, the session id will get stored in the user's bookmark url!