Added a protection for the long versions of the superglobals, so that they cannot be overwritten through HTTP headers anymore
Added a validate session identifier hook to the session extension
Added a session.use_strict_mode flag to the configuration, that enables a strict handling of the session identifier (enabled by default)
Added two optional parameters to session_set_save_handler() to give user space session handlers the chance to overwrite the session identifier creation and validation
Added a default session identifier validator, that only accepts a limited charset and therefore protects against several attacks through the session identifier (f.e. SQL injection in user space session handlers, ...).
Added an optional parameter to session_regenerate_id() that allows deletion of previous session (this is a backport from PHP 5.1.0)
Added a workaround for a GCC bug that caused crashes with Solaris 10 on SPARCs
Fixed a Thread Safety problem, that caused the 'linked list canary overwritten' messages when running in a multithreaded SAPI