Hello p, Thursday, April 28, 2005, 3:44:33 PM, you wrote: >>>> - User 1 logs in to webserver 1, gets session id abc123 >>>> >>>> - User 2 logs in to webserver 2, gets session id abc123 and trashes >>>> current contents of abc123 session file
>>> Can this happen? What is the probability of two different users >>> getting the same session ID? [..] >> 1. open browser and login >> 2. open another browser and login to a different account >> 3. go back to first browser, and click on a different folder, >> perhaps the sent folder as an example. [..] > From what I know, this is still an issue in 1.4, especially if this > hasn't been worked on since 1.2. I believe I added session_destroy on the login page, in the late 1.2 series... and I've not personally seen it since. >> Back to the original point though, it is possible for session id's >> to collide, the chances are very rare, and as PHP does file locking >> on the session file, it'd have to be timed in such a way to not be >> locked at the time of read/write, so it adds to the complexity of >> reproducibility. > Although John's example of a single user hitting the same legitimate > session file just by doing multiple simultaneous requests from different > tabs/windows for a single login does seem like a potential problem... > again, unless PHP's locking mechanism is file system-based. Looking at the php session code in the ext/session/mod_files.c file which is what I believe is used to handle the file based sessions, flock() is called on the session file itself, using an exclusive lock. Maybe I missed a bit of the thread somewhere on this bit... what is the problem with the file system-based locking? -- Jonathan Angliss <[EMAIL PROTECTED]> ------------------------------------------------------- SF.Net email is sponsored by: Tell us your software development plans! Take this survey and enter to win a one-year sub to SourceForge.net Plus IDC's 2005 look-ahead and a copy of this survey Click here to start! http://www.idcswdc.com/cgi-bin/survey?id=105hix -- squirrelmail-users mailing list Posting Guidelines: http://squirrelmail.org/wiki/wiki.php?MailingListPostingGuidelines List Address: [email protected] List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995 List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
