Posted by paul on 03/05/07 23:30

In article <R4udnVVI6J35PHHYnZ2dnUVZ_hadnZ2d@comcast.com>,
jstucklex@attglobal.net says...
> www.example.com is not the same as example.com. It may or may not be on
> the same server. And if it were on a different server, there could be a
> security exposure.
>

It is always the same domain. What server hardware is used is irrelevant.
An HTML request for www.thisdoman.com will always produce the same
resulting connection as thisdomain.com. The fact it may be on different
hardware is totally irrelevant.

Sessions identify domains not hardware.
Organisations register domain names not the hardware they run them on
or the server types they provide. And conventions exist because thats how
things work.

I say again. If that is indeed what happens then its a critical bug in
PHP and people all over the world will be scratching their heads
wondering why their secured by password connections frequently fail.

If this does happen I guess PHP could create 2 sessions for the same user
connection and that would be a security hazard as data that should exist
would simply vanish.

That is your real security exposure and it would indeed be caused by PHP
not HTML.

Paul

[Back to original message]