Hello Rafael Martinez Guerrero,
On Thursday, April 28, 2005, you wrote:
> On Thu, 2005-04-28 at 01:01, Jonathan Angliss wrote:
>>
>> - User 1 logs in to webserver 1, gets session id abc123
>>
>> - User 2 logs in to webserver 2, gets session id abc123 and trashes
>> current contents of abc123 session file
>>
> Can this happen? What is the probability of two different users getting
> the same session ID?
Note it is not only two users, but two web servers. It is possible,
but the possibility of it is probably VERY slim. The session ids are
randomly generated based on a number of variables I believe (I've
not looked at the PHP code in such a while), and that alone makes
the chances of collisions very... difficult :)
You can "replicate" similar kind of "behaviors" in earlier versions
of 1.2.x, I've not been able to replicate it recently... but here is
the steps you used to be able to use...
1. open browser and login
2. open another browser and login to a different account
3. go back to first browser, and click on a different folder,
perhaps the sent folder as an example.
The session information from the first login is smashed by the login
information from the second user, but depending on how the logins
were timed, and a few other unknown variables I've found, sometimes
the user information (preferences, settings, etc) from the first
login would smash the second login's preferences. I believe I took
care of that in the later 1.2.x versions, and I've not been able to
replicate it in the 1.4 series (basically the loading of the login
page /should/ not trash the session regardless of login status).
Back to the original point though, it is possible for session id's
to collide, the chances are very rare, and as PHP does file locking
on the session file, it'd have to be timed in such a way to not be
locked at the time of read/write, so it adds to the complexity of
reproducibility.
--
Jonathan Angliss
<[EMAIL PROTECTED]>
-------------------------------------------------------
SF.Net email is sponsored by: Tell us your software development plans!
Take this survey and enter to win a one-year sub to SourceForge.net
Plus IDC's 2005 look-ahead and a copy of this survey
Click here to start! http://www.idcswdc.com/cgi-bin/survey?id=105hix
--
squirrelmail-users mailing list
Posting Guidelines:
http://squirrelmail.org/wiki/wiki.php?MailingListPostingGuidelines
List Address: [email protected]
List Archives:
http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user
List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995
List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
