|
|
Posted by Marek Kilimajer on 01/20/05 15:32
Richard Lynch wrote:
> Marek Kilimajer wrote:
>
>>Jason Barnett wrote:
>>
>>>Valter Toffolo wrote:
>>>
>>>
>>>>ok i have one server with a single domain, each user have it's home
>>>>with a public_html so i get mydomain.com/~user1/ and
>>>>mydomain.com/~user2/ and so on. but each user might like to use
>>>>sessions so how can i make it work so that sessions would have each
>>>>one it's own variables and all...??
>>>>
>>>>thanks, valter.
>>>
>>>
>>>What is the problem? If you have session support set in PHP then each
>>>user should be able to session_start etc. The default session handler
>>>that comes with PHP will allow each user to have their own session
>>>variables (technically they're indices in the $_SESSION superglobal
>>>array).
>>>
>>>Please check the PHP manual to see how to set up session support if
>>>that's what you're confused about.
>>>
>>
>>The problem is with cookies being common for all user directories.
>
>
> You'll have to be more specific than this.
>
> Are you worried about:
> 1) Cookie filename collision, so two users criss-cross cookies?
No
> 2) Cookie security, so user1 can read user2's cookie files
Something like above, but cookies are not files as I'm sure you know ;)
(though they are stored somewhere, this is just implementation).
> 3) Malicous user2 filling up everybody's /tmp dir with zillion cookie files
>
> #1 is a non-problem, almost for sure. I don't think the OS+PHP will
> *ever* let your cookie files share a common name
>
> #2 separating them into different directories is not a whole lot of
> help... If I know his cookie files are in ~/user2 and follow the same
> naming conventions as the ones in my ~/user1 directory, I can still read
> them.
I'm talking about COOKIE PATH - Path parameter of Set-Cookie header.
What should user1 do in order to separate his cookies and sessions from
other users is to give them different cookie path:
session_set_cookie_params(0, '/~user1/');
session_start();
But malicious "evil" can do:
session_set_cookie_params(2147483647, '/~victim/');
session_start();
Then write a script that will periodicaly check
http://server/~victim/?SESSIONID=' . $stored_session_id if it displays
Hello Richard (or any other sign off being logged in, eg log off link)
and the session is highjacked.
>
> #3 also separting the cookies is no help -- A full drive is a full drive.
> Unless you are doing a low-level partition separate for each user.
>
No
>
>>Each user should use session_set_cookie_params() to set the cookie path
>>to its own directory. And use of session_regenerate_id() is a must, else
>>user1 can set the cookie path to /~user2/ with lifetime till 2038 and...
>
>
> And what?
>
> Until we know what it is you think you're trying to "solve" we can't
> advise you.
unique session for each user directory (/~user) and SECURITY. I think
this was the concern of the OP.
>
> So far, all we've got is a stated desire to segregate cookie files for no
> apparent reason.
>
> I'm sure it's perfectly clear to you why you want this, but nobody else is
> getting it.
I hope everyone gets me now.
Navigation:
[Reply to this message]
|