Reply to Re: [PHP] losing session data with cross-site scripting

Your name:

Reply:


Posted by Chris Shiflett on 09/21/05 20:25

Steve Lefevre wrote:
> I have a php site on a production server. The production server doesn't
> have the spell libraries, and rather than migrate the site, we setup
> spell checking functions on the development site, and shuttled the users
> back and forth with specially crafted get links and forms.

This sounds ugly, and you're leaving out some important details. My
first question is whether the domain name of the development (well, not
anymore) server is a subdomain of the production server.

> The POST form or GET link on the production site contains the string to
> be spellchecked. Once the user is at the development site, the string is
> spellcheck, and corrected if necessary. The development site checks the
> http referrer to make sure it's not just anybody, and the only thing it
> does is spell checking, anyway.

Checking Referer is useless, because everyone knows what you expect it
to be.

> After the spell checking is done, we then create links that bring the
> user back to the development site. On the development site, I have an
> include at the beginning of each page that checks for a session, and
> either takes them to the proper page, or throws an error if they are
> not on the login page and have no session.

This sounds confusing, but I think it's because you meant to say
production instead of development. Did you?

> Most of the time, no problem. When a user is returning from the
> production site, their session is still set when they load the page
> on the production server, and they get the appropriate page. However,
> for a few users, they are somehow losing session data, and they get
> the error when they try to return from the development server.

Maybe their session is timing out? You're sending them to a different
site, after all.

I think we acn help more if you offer some details, such as how you're
handling sessions. It also sounds like you could avoid all of this
confusion by simply having your production server communicate directly
with your development server. Using the user as a data transport seems
very ugly.

(Also, you didn't mention how cross-site scripting fits in.)

Hope that helps.

Chris

--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/

[Back to original message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация