Jonathan Angliss wrote:
Hello Rafael Martinez Guerrero, On Thursday, April 28, 2005, you wrote:
On Thu, 2005-04-28 at 01:01, Jonathan Angliss wrote:
- User 1 logs in to webserver 1, gets session id abc123
- User 2 logs in to webserver 2, gets session id abc123 and trashes current contents of abc123 session file
Can this happen? What is the probability of two different users getting the same session ID?
Note it is not only two users, but two web servers. It is possible, but the possibility of it is probably VERY slim. The session ids are randomly generated based on a number of variables I believe (I've not looked at the PHP code in such a while), and that alone makes the chances of collisions very... difficult :)
You can "replicate" similar kind of "behaviors" in earlier versions of 1.2.x, I've not been able to replicate it recently... but here is the steps you used to be able to use...
1. open browser and login 2. open another browser and login to a different account 3. go back to first browser, and click on a different folder, perhaps the sent folder as an example.
The session information from the first login is smashed by the login information from the second user, but depending on how the logins were timed, and a few other unknown variables I've found, sometimes the user information (preferences, settings, etc) from the first login would smash the second login's preferences. I believe I took care of that in the later 1.2.x versions, and I've not been able to replicate it in the 1.4 series (basically the loading of the login page /should/ not trash the session regardless of login status).
From what I know, this is still an issue in 1.4, especially if this hasn't been worked on since 1.2.
Back to the original point though, it is possible for session id's to collide, the chances are very rare, and as PHP does file locking on the session file, it'd have to be timed in such a way to not be locked at the time of read/write, so it adds to the complexity of reproducibility.
Although John's example of a single user hitting the same legitimate session file just by doing multiple simultaneous requests from different tabs/windows for a single login does seem like a potential problem... again, unless PHP's locking mechanism is file system-based.
------------------------------------------------------- SF.Net email is sponsored by: Tell us your software development plans! Take this survey and enter to win a one-year sub to SourceForge.net Plus IDC's 2005 look-ahead and a copy of this survey Click here to start! http://www.idcswdc.com/cgi-bin/survey?id=105hix -- squirrelmail-users mailing list Posting Guidelines: http://squirrelmail.org/wiki/wiki.php?MailingListPostingGuidelines List Address: [email protected] List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995 List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
