Re: Session contamination?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Dave,

After a bit more research, I think I understand why Jochem recommends
use of session_save_path() rather than just naming each session
differently. The former method provides more security as you can set
the location where session cookies are stored. This will help prevent
an attacker from gaining access to session information and then using
it to gain inappropriate access to the application the session was
created for or even other applications running on the same shared
server. Anyway, I think that's why.

- Ben

On 4/20/06, Dave Goodchild <buddhamagnet@xxxxxxxxx> wrote:
> Let me know how you get on. I have encountered the session leakage issue
> before also and it scared the willies out of me.
>
>
> On 20/04/06, Ben Liu < blzabub8@xxxxxxxxx> wrote:
> > Hi Dave,
> >
> > Thanks, I think the method recommended by Robin using the function
> > ini_set() would work, but somehow I think this could be done in
> > simpler fashion by setting separate session names for each app, unless
> > I am misunderstanding the use of session_name(). Trying this out
> > now...
> >
> > - Ben
> >
> > On 4/20/06, Dave Goodchild <buddhamagnet@xxxxxxxxx> wrote:
> > > You can use ini_set to alter this value locally (until the script exits)
> in
> > > the script itself, which saves having to use a separate ini file if that
> is
> > > the only value you want to change.
> > >
> > >
> > >  On 20/04/06, Ben Liu <blzabub8@xxxxxxxxx> wrote:
> > > >
> > >  Thanks for the response Robin, I'm reading up on session.cookie_path
> > > now. It seems that this would require creating separate php.ini files
> > > for each application.
> > >
> > > On 4/20/06, Robin Vickery < robinv@xxxxxxxxx > wrote:
> > > > On 20/04/06, Ben Liu <blzabub8@xxxxxxxxx> wrote:
> > > > > Hello All,
> > > > >
> > > > > I'm using a single development server to host multiple client
> > > > > projects, many of which require session management. I've noticed
> that
> > > > > sometimes when I test these various web apps (which are simply in
> > > > > separate sub directories) I get session leakage where logging in and
> > > > > establishing a session on one app allows me access to (automatically
> > > > > logs me in) to other app(s) on the same server. Or sometimes a
> session
> > > > > variable will be set across all the apps, like
> $_SESSION['username'].
> > > > >
> > > > > Is this due to the fact that sessions are established between client
> > > > > browsers and servers, regardless of directory/sub directory?
> > > >
> > > > Yes - that's the default behaviour, although if you set
> > > > session.cookie_path separately for each app, they shouldn't share
> > > > session cookies. You might also want to look at session.save_path
> > > > which will allow each app to save their session files in a different
> > > > location.
> > > >
> > > >   -robin
> > > >
> > >
> > > --
> > > PHP General Mailing List (http://www.php.net/)
> > > To unsubscribe, visit: http://www.php.net/unsub.php
> > >
> > >
> > >
> > >
> > > --
> > > http://www.web-buddha.co.uk
> > > dynamic web programming from Reigate, Surrey UK
> > >
> > > look out for project karma, our new venture, coming soon!
> >
>
>
>
> --
>
> http://www.web-buddha.co.uk
> dynamic web programming from Reigate, Surrey UK
>
> look out for project karma, our new venture, coming soon!

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux