Jonathan Angliss wrote:
Hello p, Thursday, April 28, 2005, 3:44:33 PM, you wrote:
- User 1 logs in to webserver 1, gets session id abc123
- User 2 logs in to webserver 2, gets session id abc123 and trashes current contents of abc123 session file
Can this happen? What is the probability of two different users getting the same session ID?
[..]
1. open browser and login 2. open another browser and login to a different account 3. go back to first browser, and click on a different folder, perhaps the sent folder as an example.
[..]
From what I know, this is still an issue in 1.4, especially if this hasn't been worked on since 1.2.
I believe I added session_destroy on the login page, in the late 1.2 series... and I've not personally seen it since.
There have *definitely* been complaints about this since 1.4 came out. I think I've even seen it personally. I always thought it was still on your backburner to recode that whole system.
Back to the original point though, it is possible for session id's to collide, the chances are very rare, and as PHP does file locking on the session file, it'd have to be timed in such a way to not be locked at the time of read/write, so it adds to the complexity of reproducibility.
Although John's example of a single user hitting the same legitimate session file just by doing multiple simultaneous requests from different tabs/windows for a single login does seem like a potential problem... again, unless PHP's locking mechanism is file system-based.
Looking at the php session code in the ext/session/mod_files.c file which is what I believe is used to handle the file based sessions, flock() is called on the session file itself, using an exclusive lock. Maybe I missed a bit of the thread somewhere on this bit... what is the problem with the file system-based locking?
I don't think NFS supports flock...
------------------------------------------------------- SF.Net email is sponsored by: Tell us your software development plans! Take this survey and enter to win a one-year sub to SourceForge.net Plus IDC's 2005 look-ahead and a copy of this survey Click here to start! http://www.idcswdc.com/cgi-bin/survey?id=105hix -- squirrelmail-users mailing list Posting Guidelines: http://squirrelmail.org/wiki/wiki.php?MailingListPostingGuidelines List Address: [email protected] List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995 List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
