Posted by C. on 09/25/06 13:06

1) PHP sesions aren't really intended to be left open indefinitely.
Apart from anything else its something of a security risk. The fact
that PHP will create a session when the one asked for does not exist
is, in itself a major security problem (see the links to session
fixation from the PHP site).

If exclusivity is the objective then this should be implemented using a
server-side mutex.

forje wrote:
> Gordon Burditt a écrit :
>
> > Poking around the session save files of other sessions is a
> > possibility, but direct use of a database is probably more efficient
> > and less likely to cause trouble with two near-simultaneous login
> > attempts from different places.
> It's hard to have access to all session files from a particular session.
> How would you do that?

Write your own session handling functions which:

1) create a mutex and link the session to it if the session relates to
an exclusive process, and the mutex is not currently in use, or the
mutex is associated with an expired session.
2) when removing a session, unlink and close any corresponding mutex.

Of course (1) above assumes that any session has (at least) limited
visibility of other sessions - which in itself is a security problem.
However it would be really quite difficult to build a session handler
where this was not the case, and every one I've seen does not address
this.

HTH

C.

• Next in forum: Re: Newbie: Need advise on which IDE to get...must debug on hosting server
• Prev in forum: Re: Is making your own content mangement system a good idea?
• Thread view: Re: Exclusive session

[Reply to this message]