Posted by Jerry Stuckle on 07/30/06 18:43

axlq wrote:
> In article <8oudnZWwZoMwVVHZnZ2dnUVZ_vSdnZ2d@comcast.com>,
> Jerry Stuckle <jstucklex@attglobal.net> wrote:
>
>>axlq wrote:
>>
>>>The real problem is that the web hosting server seems to think that
>>>every computer on my home network shares the same session ID, and I
>>>don't know what to do about it. I haven't made the web site public
>>>yet. I certainly can't do so as long as $_SESSION poses such a huge
>>>security risk. There are much more than just home networks behind
>>>NAT firewall/routers. If multiple people in a large organization
>>>try to access my site, all kinds of conflicts will occur.
>>
>>The web server doesn't keep track of the session like that. It sends a
>>cookie to the browser with the session id, and the browser keeps track
>>of the id.
>
>
> It sends a cookie to ONE browser. Once this cookie is set and the
> session established on the server, the cookie doesn't seem to get
> used any more.
>

It does on my systems. But all I uses is session_start() - not all the
rest of the stuff you use.

>
>>However, that also depends on your PHP.INI file. You should have
>>session.use_cookies = 1
>>in your php.ini file.
>
>
> It's set that way already.
>

Then it should use cookies automatically, You shouldn't need the rest
of it that stuff.

>
>>But I'm also not sure why you're using those other calls - such as
>>session_save_path and session_name(). These should be set up in your
>>php.ini file and you shouldn't need to override them.
>
>
> Two reasons:
>
> 1. This is a shared server, I don't own php.ini, I didn't want to
> use the /tmp path already set in it, and I didn't like the default
> session name set in it.
>
> 2. I can set my own php.ini, but I may have multiple web sites under
> the same account, so I preferred having each site's sessions have
> their own path -- therefore I set session_save_path and session_name
> in the script. It shouldn't make any difference as long as these
> settings are consistent in every invocation of my scripts.
>

So? It's a shared server. Sure, someone can access your session info
in /tmp - but only if they know the session id, which is VERY hard to
guess. And BTW - the could access the information in your own
directory, also. This is worse than no security - it is false security;
making you think your data is safe when you've actually gained nothing.

Just don't keep sensitive information like passwords in the session.
Or, if you must, encrypt it.

>
>>I'm also not sure why you're using set_cookie on the session name.
>
>
> That's only to delete the session cookie when logging off. This was
> recommended in a php documentation page somewhere, so I pretty much
> just lifted the code from there. set_cookie isn't used anywhere else
> on my site except for the one logoff script.
>
> -A

Whatever. Works fine for me without it just by calling
session_destroy(). Then the cookie would have an invalid session ID,
which is just fine, also.

I don't think this is a PHP problem - it's in something you're doing.
Check phpinfo() to ensure your settings are as you expect and you're
using the php.ini you think you're using.

As for other browsers getting the session information - the only way
they would get this is if the server were sending the same information
and/or the pages are cached somewhere between the server and your
internal network.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

[Back to original message]