|
|
Posted by Jerry Stuckle on 03/06/07 04:43
Vic Spainhower wrote:
>>>> www.example.com is not the same as example.com. It may or may not be on
>>>> the same server. And if it were on a different server, there could be a
>>>> security exposure.
>>>>
> "Jerry Stuckle" <jstucklex@attglobal.net> wrote in message
> news:Jv6dnSgFtcWwX3HYnZ2dnUVZ_tGlnZ2d@comcast.com...
>> paul wrote:
>>> In article <R4udnVVI6J35PHHYnZ2dnUVZ_hadnZ2d@comcast.com>,
>>> jstucklex@attglobal.net says...
>>>> www.example.com is not the same as example.com. It may or may not be on
>>>> the same server. And if it were on a different server, there could be a
>>>> security exposure.
>>>>
>>> It is always the same domain. What server hardware is used is irrelevant.
>>> An HTML request for www.thisdoman.com will always produce the same
>>> resulting connection as thisdomain.com. The fact it may be on different
>>> hardware is totally irrelevant.
>>>
>>> Sessions identify domains not hardware.
>>> Organisations register domain names not the hardware they run them on
>>> or the server types they provide. And conventions exist because thats how
>>> things work.
>>>
>>> I say again. If that is indeed what happens then its a critical bug in
>>> PHP and people all over the world will be scratching their heads
>>> wondering why their secured by password connections frequently fail.
>>>
>>> If this does happen I guess PHP could create 2 sessions for the same user
>>> connection and that would be a security hazard as data that should exist
>>> would simply vanish.
>>>
>>> That is your real security exposure and it would indeed be caused by PHP
>>> not HTML. Paul
>> Paul,
>>
>> That's what you don't get. www.example.com is NOT the same as
>> example.com.
>>
>> Whether or not it creates the same connection is immaterial. That is
>> below the HTTP protocol.
>>
>> Yes, organizations register the domain. But www.example.com is NOT the
>> same as example.com which is not the same as ftp.example.com which is not
>> the same as xyz.example.com.
>>
>> The HTTP protocol sees each of the above as a different server. And
>> browsers do not send cookies from one server to another.
>>
>> Creating two sessions is not a security hazard - it is required by the
>> protocol. If you have any bitches, it's with the HTTP protocol, not PHP.
>>
>> But good luck - every language (i.e. VBScript, Perl, Python, Java, etc.)
>> using the HTTP protocol and every browser (i.e. IE, Opera, Firefox,
>> Mozilla, etc.) works the same way. You need to change the protocol, not
>> complain about PHP.
>>
>
>
> I placed the following re-direct in index.php and it goes into a
re-direct
> loop. This would tell me they are in fact the same domain and a
re-direct
> will not solve the problem.
>
> <meta http-equiv="REFRESH" content="2;
URL=http://www.mysite.com">
>
> Vic
>
>
(Top posting fixed)
It doesn't say anything about them being the same domain. All it says
is the same server is handling both requests.
You could be on www.example.com and redirect to www.example.org. If
they are the same host, you will also get the loop.
You will even get the same loop if example.com redirects to example.org
and example.org redirects to example.com (when they are on different
servers).
P.S. Please don't top post.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
Navigation:
[Reply to this message]
|