|
Posted by Rik on 01/22/07 22:16
Colin McKinnon wrote:
> Rik wrote:
>
>> wombat wrote:
>>>
>>> Are sessions url dependent? If so, is there a work-around?
>>
>> Cookies are host dependant (with an optional path).
>> home.*.com is not the same host as www.*.com
>>
>> Carrying on sessions between domains is therefor not possible by
>> cookie. The only workaround is carrying over the session_id by a
>> POST or GET variable, and it may be necessary to write your own
>> session_handler, instead of the default one in PHP, so you can still
>> collect previously set session-data. This is not recommended, but
>> possible.
>
> I'd be interested to know why this is not recommended. I'm happy to be
> proved wrong but I can't see why this is more dangerous than sessions
> within a single vhost.
Well, creating a sessionhandler for secure logging in requires knowing what
you do. If you're asking the question 'are session url dependant?', my
feeling is I would not recommend that person to write his own. Might be
wrong, but a quick assumptoin on my part.
> There's no need to write your own session handler if you're moving
> between virtual hosts on the same server - just include the session
> id in links/forms to the receiving end, and (at the receiving end) :
>
> ...
> if (!session_id() && ($_REQUEST['throw_session'])) {
> session_id($_REQUEST['throw_session']);
> }
> session_start();
As I said "The only workaround is carrying over the session_id by a POST or
GET variable". Not really a good solution in my opinion though, as it
creates the option to force a very simple non-random session_id, and if I
give out the link to people like
http://example.com/?throw_session=iknowthis, and they continue using it, I
can just use the url to check up on them, and potentially do everything
they're allowed to do. Offcourse, in this particular example, the logging
in has to be done at another domain. Still the domain that does the logging
in should never allow sessions to be set like this.
A session_regenerate_id(true); immidiately afterwards can ease the pain
somewhat, as I cannot guess the session_id they're going to get after it.
--
Rik Wasmus
[Back to original message]
|