Posted by Gordon Burditt on 03/06/07 01:12

>> www.example.com is not the same as example.com. It may or may not be on
>> the same server. And if it were on a different server, there could be a
>> security exposure.
>>
>It is always the same domain. What server hardware is used is irrelevant.
>An HTML request for www.thisdoman.com will always produce the same
>resulting connection as thisdomain.com.

False. And there is nothing in DNS that even requires both or neither
of www.example.com and example.com to exist and have an A record.

Apache also has features that allow the content served to depend on the
host name presented, and it's perfectly possible to have www.example.com
and example.com have different content. VERY often, they DO have
different content: one just sends a redirect to the other domain,
which is not the same thing.


>The fact it may be on different
>hardware is totally irrelevant.

The fact that it may have totally different content IS relevant.


>Sessions identify domains not hardware.

Have you noticed that www.microsoft.com and support.microsoft.com
have different content? They are in the same domain.

>Organisations register domain names not the hardware they run them on
>or the server types they provide. And conventions exist because thats how
>things work.

Conventions about www being the web server are just that, conventions.
You cannot depend on no one violating them. Everyone drives on the right
hand side of the road, right? It's a convention. So there can't possibly
be anyone driving on the left ha....<splat>!

>I say again. If that is indeed what happens then its a critical bug in
>PHP and people all over the world will be scratching their heads
>wondering why their secured by password connections frequently fail.

Why would a "secured by password" connection randomly switch between
two domains?

I will also comment that if you think that this is a bug in PHP, you've
got a problem, because THERE IS NO CHANGE YOU CAN MAKE IN PHP TO FIX IT.
You have to change people's browsers.

>If this does happen I guess PHP could create 2 sessions for the same user
>connection and that would be a security hazard as data that should exist
>would simply vanish.

PHP has no way of realizing that it should not create 2 sessions for the
same user.

>That is your real security exposure and it would indeed be caused by PHP
>not HTML.

• Next in forum: DB classes in PHP 4: include file hell
• Prev in forum: Re: php and MySQL error
• Thread view: Re: List Fails on some computers - www missing in url

[Reply to this message]