Description
The session handler does not check if a session id is valid. It just silently creates a session for non-existent ids. This allows for session fixation attacks.
See also https://www.owasp.org/index.php/Session_fixation and http://php.net/manual/en/session.configuration.php#ini.session.use-strict-mode