|
|
Posted by Vic Spainhower on 03/06/07 04:14
>>> www.example.com is not the same as example.com. It may or may not be on
>>> the same server. And if it were on a different server, there could be a
>>> security exposure.
>>>
I placed the following re-direct in index.php and it goes into a re-direct
loop. This would tell me they are in fact the same domain and a re-direct
will not solve the problem.
<meta http-equiv="REFRESH" content="2; URL=http://www.mysite.com">
Vic
"Jerry Stuckle" <jstucklex@attglobal.net> wrote in message
news:Jv6dnSgFtcWwX3HYnZ2dnUVZ_tGlnZ2d@comcast.com...
> paul wrote:
>> In article <R4udnVVI6J35PHHYnZ2dnUVZ_hadnZ2d@comcast.com>,
>> jstucklex@attglobal.net says...
>>> www.example.com is not the same as example.com. It may or may not be on
>>> the same server. And if it were on a different server, there could be a
>>> security exposure.
>>>
>>
>> It is always the same domain. What server hardware is used is irrelevant.
>> An HTML request for www.thisdoman.com will always produce the same
>> resulting connection as thisdomain.com. The fact it may be on different
>> hardware is totally irrelevant.
>>
>> Sessions identify domains not hardware.
>> Organisations register domain names not the hardware they run them on
>> or the server types they provide. And conventions exist because thats how
>> things work.
>>
>> I say again. If that is indeed what happens then its a critical bug in
>> PHP and people all over the world will be scratching their heads
>> wondering why their secured by password connections frequently fail.
>>
>> If this does happen I guess PHP could create 2 sessions for the same user
>> connection and that would be a security hazard as data that should exist
>> would simply vanish.
>>
>> That is your real security exposure and it would indeed be caused by PHP
>> not HTML. Paul
>
> Paul,
>
> That's what you don't get. www.example.com is NOT the same as
> example.com.
>
> Whether or not it creates the same connection is immaterial. That is
> below the HTTP protocol.
>
> Yes, organizations register the domain. But www.example.com is NOT the
> same as example.com which is not the same as ftp.example.com which is not
> the same as xyz.example.com.
>
> The HTTP protocol sees each of the above as a different server. And
> browsers do not send cookies from one server to another.
>
> Creating two sessions is not a security hazard - it is required by the
> protocol. If you have any bitches, it's with the HTTP protocol, not PHP.
>
> But good luck - every language (i.e. VBScript, Perl, Python, Java, etc.)
> using the HTTP protocol and every browser (i.e. IE, Opera, Firefox,
> Mozilla, etc.) works the same way. You need to change the protocol, not
> complain about PHP.
>
> --
> ==================
> Remove the "x" from my email address
> Jerry Stuckle
> JDS Computer Training Corp.
> jstucklex@attglobal.net
> ==================
Navigation:
[Reply to this message]
|