Christopher Kunz has this new post today on his blog with at look at "strict session handling in PHP".
A small patch against PHP's ext/session and ext/sqlite adds two new handler functions to validate and create session IDs, as well as the php.ini setting.
PHP has a permissive session system. This has been decided way before I came into the PHP world (I guess in preparation of 4.0), and the reasons for this decision are kinda lost in transit. However, with a small patch by Hardened-PHP Project buddy Stefan esser, this might now change.
This setting would allow for more enhanced session handling (removing the ability to spoof sessions via a SID), and other problems (SQL injections, XSS attacks, etc). You can check out more on the Hardened-PHP page...