Hi Dave, After a bit more research, I think I understand why Jochem recommends use of session_save_path() rather than just naming each session differently. The former method provides more security as you can set the location where session cookies are stored. This will help prevent an attacker from gaining access to session information and then using it to gain inappropriate access to the application the session was created for or even other applications running on the same shared server. Anyway, I think that's why.
- Ben On 4/20/06, Dave Goodchild <[EMAIL PROTECTED]> wrote: > Let me know how you get on. I have encountered the session leakage issue > before also and it scared the willies out of me. > > > On 20/04/06, Ben Liu < [EMAIL PROTECTED]> wrote: > > Hi Dave, > > > > Thanks, I think the method recommended by Robin using the function > > ini_set() would work, but somehow I think this could be done in > > simpler fashion by setting separate session names for each app, unless > > I am misunderstanding the use of session_name(). Trying this out > > now... > > > > - Ben > > > > On 4/20/06, Dave Goodchild <[EMAIL PROTECTED]> wrote: > > > You can use ini_set to alter this value locally (until the script exits) > in > > > the script itself, which saves having to use a separate ini file if that > is > > > the only value you want to change. > > > > > > > > > On 20/04/06, Ben Liu <[EMAIL PROTECTED]> wrote: > > > > > > > Thanks for the response Robin, I'm reading up on session.cookie_path > > > now. It seems that this would require creating separate php.ini files > > > for each application. > > > > > > On 4/20/06, Robin Vickery < [EMAIL PROTECTED] > wrote: > > > > On 20/04/06, Ben Liu <[EMAIL PROTECTED]> wrote: > > > > > Hello All, > > > > > > > > > > I'm using a single development server to host multiple client > > > > > projects, many of which require session management. I've noticed > that > > > > > sometimes when I test these various web apps (which are simply in > > > > > separate sub directories) I get session leakage where logging in and > > > > > establishing a session on one app allows me access to (automatically > > > > > logs me in) to other app(s) on the same server. Or sometimes a > session > > > > > variable will be set across all the apps, like > $_SESSION['username']. > > > > > > > > > > Is this due to the fact that sessions are established between client > > > > > browsers and servers, regardless of directory/sub directory? > > > > > > > > Yes - that's the default behaviour, although if you set > > > > session.cookie_path separately for each app, they shouldn't share > > > > session cookies. You might also want to look at session.save_path > > > > which will allow each app to save their session files in a different > > > > location. > > > > > > > > -robin > > > > > > > > > > -- > > > PHP General Mailing List (http://www.php.net/) > > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > > > > > > > > > > -- > > > http://www.web-buddha.co.uk > > > dynamic web programming from Reigate, Surrey UK > > > > > > look out for project karma, our new venture, coming soon! > > > > > > -- > > http://www.web-buddha.co.uk > dynamic web programming from Reigate, Surrey UK > > look out for project karma, our new venture, coming soon! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
