|
Posted by Isaac Raway on 10/23/07 21:13
On 2007-10-23 02:11:04 -0500, Martin Mandl - m2m tech support
<martin.mandl@gmail.com> said:
> On Oct 23, 1:37 am, ZeldorBlat <zeldorb...@gmail.com> wrote:
>> On Oct 22, 4:44 pm, "David Basford" <dbas...@ntlworld.com> wrote:
>>
>>> if I search for $_SESSION['thing'] is it specific to my site?
>>> can another person make a site, set up a session and set 'thing' and then
>>> come to my site with it set?
>>
>> Session data is stored on the server, so, no.
>
> ... if that 'person' is on the same server and is able to duplicate
> the way you access your session data (session id, etc.) ... then yes
>
> ... to prevent that you could to e.g. generate a new session id every
> time a user comes from another site ...
>
Depends on what he means by "site". If you have your own domain, then
I'm pretty sure it is specific to your domain.
If you are on a subdomain or, worse, just a subdirectory of a domain,
the other directories on that domain can access the same session data.
Anyway, this is how I understand it. I guess that this might noe
accurate, but think about how wide open all these PHP scripts would be
running on colocated servers if it weren't domain specific.
If you use cookies to store the session ID, that abides by the rules of
cookie access which are domain specific (obviously).
IJR
[Back to original message]
|