PS: Why does PHP.net always release security fixes just before the weekend?
UPDATE: Antony Dogval from Zend meanwhile wrote a blog entry where he comments on this blog entry. He claims that I did not tell the PHP developers how to fix the issue. I love it how members of the PHP development team that do not receive the mails to email@example.com try to convince the world that I never sent those mails. I wrote atleast 2 times in the conversation about the described bug that the problem is because the session id is not encoded. I am not the php.net babysitter. I repeated myself and got ignored, I am not begging PHP.net to listen to reason.