Posted by Gordon Burditt on 11/02/06 00:38

>You seem confused as to what PHP uses to track sessions. And the
>difference between a host and a domain. PHP is using hosts, at least it
>calls it a host in PHPSESSID, perhaps it should just use domains?
>
>
>
>I suggest you all stop trying to disguise the massive bug in PHP

Virtualhosting in Apache is not a bug.

I also dispute that the "bug" you are describing in PHP can be fixed
in PHP. It's the browser, not the server that decides what cookies
to send to the server. If the browser thinks that it's talking to
foo.com, it won't *SEND* the session cookie to www.foo.com, which
is how PHP figures out it's in the same session. Therefore it has
no idea whether it's assigning the first or the second session
cookie.

>The simple fact is - If you connect to a web site PHP will generate 2
>different answers to the question "what is the name of the host I am now
>connected to?"

On some commercial hosting sites, it will generate 100 different
answers to that question, because there are 99 customer web sites
on that same server, plus the server's own name. Yes, that site
has 100 DNS entries. And maybe even 100 *reverse* DNS entries.
Those web sites are independent and they should NOT share sessions
between different web sites on the same server. That's a security
hole. It allows one web customer to attack the site of another web
customer on the same server (not that there aren't other kinds of
security issues in this setup also).

If you really want foo.com and www.foo.com to be the same web site,
use Apache to redirect any reference to one to the other one.

>It doesnt matter how its configured or what its called - PHP should not
>generate 2 sessions under any circumstances.

It certainly should generate 2 sessions for accessing two different
web sites. Even if they have different IP addresses, that doesn't
mean it's not the same machine.

>THAT is the bug - it does -
>every time the situation (which is now commonplace) occurs.
>
>This is the reason the originator of this thread has a problem.
>
>That is a bug. A serious bug. It isn't as mentioned by someone elsewhere
>a difficult concept.
>
>The entire and sole purpose of A session is to enable tracking of a user
>during that session.

On one web site. Cookies are *NOT* intended to be able to track a
sequence of web accesses to arbitrary web sites, and neither are
sessions.

>PHP generates 2 sessions thereby preventing this.
>PHP is broke.

>You can waffle on all you like but the bug is there - its hard, its
>simple to reproduce, its in every release of PHP, it causes lost data on
>web sites and faults the average implementer has difficulty tracking
>down, it confuses log on procedures therby reducing site security, and
>its all because PHP can't determine the host name its connected to
>accurately and provides 2 values for the variable "HOST" in PHPSESSID
>instead of one.
>
>Stop waffling and arrange to sort it or a very public announcement will
>need to be made to secure peoples web sites.

[Back to original message]