Hi Chuck,
Glad this discussion has been of use to you. I can't help much with
where your /tmp directory might be. if you echo session_save_path()
it should tell you where your session cookies are being saved to on
your server.
I have read recommendations that you set a different path for the
cookies using session_save_path(), and yes they recommend some place
within your home directory structure. The problem this creates is in
garbage collection. The standard *nix cron jobs will clear everything
out of /tmp on a regular basis whereas some directory you create will
not be subject to this regular housekeeping unless you write some
script to do it or create a custom cron job.
My interpretation of managing this problem, at this point is:
If you are on a shared server and have an application or applications
that have sensitive data and require an adequate level of security,
you should move the session cookies somewhere away from /tmp and
dealing with the garbage collection issues. Alternatively, perhaps
you shouldn't be using shared hosting or you could encrypt the
sessions cookies somehow.
If you are on a shared server and don't have sensitive data, changing
the session name should be enough to prevent cross-contamination of
session variables.
I'm still reading/learning so if I'm wrong, someone else please jump in.
- Ben
On Apr 21, 2006, at 12:05 AM, Chuck Anderson wrote:
This has been a very interesting discussion, as I have had the same
"problem," but never thought much about the fact that I could do
anything about it.
As to session save path, when I run phpinfo (at my remote Linux
server) it tells me that it is set to "no value." This means it
would default to /tmp. Where is this tmp directory? I have looked
at the tmp directory that is one level above my site's www
directory (outside of the web space), but I do not see any session
data there. That's why I am asking if it is a system wide
directory, or is it the one in my home directory.
If I set the path myself, what would be a good location? (I assume
it should be outside the web space). Should I make up some random
folder name (one time) and story my session data within that
directory, within my own home directory?
Ben Liu wrote:
Hello All,
I'm using a single development server to host multiple client
projects, many of which require session management. I've noticed that
sometimes when I test these various web apps (which are simply in
separate sub directories) I get session leakage where logging in and
establishing a session on one app allows me access to (automatically
logs me in) to other app(s) on the same server. Or sometimes a
session
variable will be set across all the apps, like $_SESSION['username'].
Is this due to the fact that sessions are established between client
browsers and servers, regardless of directory/sub directory?
What is the best way to avoid/prevent this problem? Should I be using
specific Session ID's or Session names?
Thanks for any help,
- Ben
--
*****************************
Chuck Anderson • Boulder, CO
http://www.CycleTourist.com
Integrity is obvious.
The lack of it is common.
*****************************
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
