|
|
Posted by readme on 11/01/06 11:58
In article <ksrbk29ie6kcjoakvc5h6do93bqgd9vsbv@4ax.com>, andy@andyh.co.uk
says...
> What do you suggest as the solution? That all session cookies should have
> their domain set to the TLD of the host issuing them? Then you end up with the
> sessions leaking across domains, which is much worse.
>
You seem confused as to what PHP uses to track sessions. And the
difference between a host and a domain. PHP is using hosts, at least it
calls it a host in PHPSESSID, perhaps it should just use domains?
I suggest you all stop trying to disguise the massive bug in PHP
The simple fact is - If you connect to a web site PHP will generate 2
different answers to the question "what is the name of the host I am now
connected to?"
It doesnt matter how its configured or what its called - PHP should not
generate 2 sessions under any circumstances. THAT is the bug - it does -
every time the situation (which is now commonplace) occurs.
This is the reason the originator of this thread has a problem.
That is a bug. A serious bug. It isn't as mentioned by someone elsewhere
a difficult concept.
The entire and sole purpose of A session is to enable tracking of a user
during that session. PHP generates 2 sessions thereby preventing this.
PHP is broke.
You can waffle on all you like but the bug is there - its hard, its
simple to reproduce, its in every release of PHP, it causes lost data on
web sites and faults the average implementer has difficulty tracking
down, it confuses log on procedures therby reducing site security, and
its all because PHP can't determine the host name its connected to
accurately and provides 2 values for the variable "HOST" in PHPSESSID
instead of one.
Stop waffling and arrange to sort it or a very public announcement will
need to be made to secure peoples web sites.
Navigation:
[Reply to this message]
|