Posted by shimmyshack on 04/26/07 21:09

On Apr 26, 4:23 am, Man-wai Chang <toylet.toy...@gmail.com> wrote:
> If two PCs from the same router connects to my web server, will unique
> session IDs be generated for each connection?
>
> In fact, is there an article talking about how PHP generates session
> cookies?
>
> --
> iTech Consulting Services Limited
> Expert of ePOS solutions
> Website:http://www.itech.com.hk(IE only)
> Tel: (852)2325 3883 Fax: (852)2325 8288

answering a similar point - that of /can/ you use the same session
identifier on two browsers, the answer is yes for the most part. so if
your router is admin'd by someone you dont trust, it is more than
possible for the session id to be reused (replayed) so that your
session is active on two different machines. This is partly the reason
why the sessions space is so large, the sparseness of the space makes
session id prediction unlikely, the randomness adds to this
unlikeliness. But none of this prevents your session ID from being
reused, so if you have a hub somewhere on your network, you are
allowing other users to sniff your session ids, which are often used
as "authenticators" so allowing session hijacking.
all these concerns come into play and so you shouldn't really feel too
secure if you dont admin the router, or if your router is not patched
with the latest firmware, and is the reason why routers while often
ignored, are a vital consideration when considering security. toodle
pip. m

[Back to original message]