|
|
Posted by Jerry Stuckle on 11/01/06 12:55
readme@now.com wrote:
> In article <ksrbk29ie6kcjoakvc5h6do93bqgd9vsbv@4ax.com>, andy@andyh.co.uk
> says...
>
>> What do you suggest as the solution? That all session cookies should have
>>their domain set to the TLD of the host issuing them? Then you end up with the
>>sessions leaking across domains, which is much worse.
>>
>
>
> You seem confused as to what PHP uses to track sessions. And the
> difference between a host and a domain. PHP is using hosts, at least it
> calls it a host in PHPSESSID, perhaps it should just use domains?
>
>
>
> I suggest you all stop trying to disguise the massive bug in PHP
>
> The simple fact is - If you connect to a web site PHP will generate 2
> different answers to the question "what is the name of the host I am now
> connected to?"
>
> It doesnt matter how its configured or what its called - PHP should not
> generate 2 sessions under any circumstances. THAT is the bug - it does -
> every time the situation (which is now commonplace) occurs.
>
WRONG, WRONG, WRONG! These are two different hosts, and require two
different sessions.
Point me to ONE SINGLE RFC which says example.com and www.example.com
are the same host. "Common usage" does not count!
And different hosts have different sessions.
> This is the reason the originator of this thread has a problem.
>
> That is a bug. A serious bug. It isn't as mentioned by someone elsewhere
> a difficult concept.
>
It is NOT A BUG! It is how the sessions, the HTTP protocol and the
internet itself work!
> The entire and sole purpose of A session is to enable tracking of a user
> during that session. PHP generates 2 sessions thereby preventing this.
> PHP is broke.
>
That is one use, yes. But there are many different uses.
> You can waffle on all you like but the bug is there - its hard, its
> simple to reproduce, its in every release of PHP, it causes lost data on
> web sites and faults the average implementer has difficulty tracking
> down, it confuses log on procedures therby reducing site security, and
> its all because PHP can't determine the host name its connected to
> accurately and provides 2 values for the variable "HOST" in PHPSESSID
> instead of one.
>
> Stop waffling and arrange to sort it or a very public announcement will
> need to be made to secure peoples web sites.
>
>
You can complain all you want about it being a bug. But that doesn't
make it a bug. Learn how things really work. And show us exactly which
RFC is being violated by this "bug".
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
Navigation:
[Reply to this message]
|