FRIHOST FORUMS SEARCH FAQ TOS BLOGS COMPETITIONS
You are invited to Log in or Register a free Frihost Account!


PHP sessions and security





kv
I am trying to write a login script which checks for a "islogged" variable in session and redirects to appropriate page. My code looks something like

Code:

session_start();

if($_SESSION['islogged'])
    header("Location: home.php");
else
    header("Location: login.php");



Let us assume I hosted this on frihost. And somebody else also has hosted his application on frihost with the same kind of code. If a user is in one application (and hence islogged is there in session) and tries to go to other application, since it is the same php installation and configuration, user will be able to login to other application without logging in.

Is this how it works? If it is so, what is the solution?
Atomo64
The only way that a user can 'abuse' of this code is if the sessions are not different for both accounts, in other words... normally when you access to something.example.com you can get a SID... and then if you go to an_other_subdomain.example.com the sessions can't be accessed from a subdomain to an other one. Even when this is difficult to understand, since it depends mostly on the web server, you can do this:
use a random number... your example would be like this:
Code:

require_once("common.php");
session_start();

if($_SESSION['islogged'.UID])
    header("Location: home.php");
else
    header("Location: login.php");

and on common.php :
Code:

define("UID",5434886348348635784248482482646824826486468);

--
that would make difficult that two sessions could get this problem...
and you can use session_name() so you can make your session a little bit more unique.
kv
Ok, now I will rephrase my question.

1) Is php session different for different accounts in frihost?

2) Is it different for subdomains of same account?
Atomo64
kv wrote:
1) Is php session different for different accounts in frihost?

I think so
kv wrote:
2) Is it different for subdomains of same account?

Nope, because the subdomains are just directories, not other users accounts.
Related topics
php sessions
PHP: Sessions and Cookies
PHP Sessions
php sessions
PHP Login Problem
problems for indexing php pages in google.
How to make a log in log out system for a website??
php sessions for different accounts
php SESSIONS question
Php Mysql security testing
PHP Forms security
Wanting a PHP input security script: up to 1200frih$!
PHP Sessions Issue
PHP Session Timeout/Max Life Time
Reply to topic    Frihost Forum Index -> Scripting -> Php and MySQL

FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2011 Frihost, forums powered by phpBB.