Marek Kilimajer wrote:
Jason Barnett wrote:
Valter Toffolo wrote:
ok i have one server with a single domain, each user have it's home with a public_html so i get mydomain.com/~user1/ and mydomain.com/~user2/ and so on. but each user might like to use sessions so how can i make it work so that sessions would have each one it's own variables and all...??
thanks, valter.
What is the problem? If you have session support set in PHP then each user should be able to session_start etc. The default session handler that comes with PHP will allow each user to have their own session variables (technically they're indices in the $_SESSION superglobal array).
Please check the PHP manual to see how to set up session support if that's what you're confused about.
The problem is with cookies being common for all user directories.
You'll have to be more specific than this.
Are you worried about: 1) Cookie filename collision, so two users criss-cross cookies?
No
2) Cookie security, so user1 can read user2's cookie files
Something like above, but cookies are not files as I'm sure you know ;) (though they are stored somewhere, this is just implementation).
3) Malicous user2 filling up everybody's /tmp dir with zillion cookie files
#1 is a non-problem, almost for sure. I don't think the OS+PHP will *ever* let your cookie files share a common name
#2 separating them into different directories is not a whole lot of help... If I know his cookie files are in ~/user2 and follow the same naming conventions as the ones in my ~/user1 directory, I can still read them.
I'm talking about COOKIE PATH - Path parameter of Set-Cookie header. What should user1 do in order to separate his cookies and sessions from other users is to give them different cookie path:
session_set_cookie_params(0, '/~user1/'); session_start();
But malicious "evil" can do:
session_set_cookie_params(2147483647, '/~victim/'); session_start();
Then write a script that will periodicaly check http://server/~victim/?SESSIONID=' . $stored_session_id if it displays Hello Richard (or any other sign off being logged in, eg log off link) and the session is highjacked.
#3 also separting the cookies is no help -- A full drive is a full drive. Unless you are doing a low-level partition separate for each user.
No
Each user should use session_set_cookie_params() to set the cookie path to its own directory. And use of session_regenerate_id() is a must, else user1 can set the cookie path to /~user2/ with lifetime till 2038 and...
And what?
Until we know what it is you think you're trying to "solve" we can't advise you.
unique session for each user directory (/~user) and SECURITY. I think this was the concern of the OP.
So far, all we've got is a stated desire to segregate cookie files for no apparent reason.
I'm sure it's perfectly clear to you why you want this, but nobody else is getting it.
I hope everyone gets me now.
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
