[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 155
  • Last Modified:

copy of phpsessionid

copy of phpsessionid

create a phpsession on one server
echo results

uncomment a line
that hardcode phpsession
and run this in another server to
echo same results
0
rgb192
Asked:
rgb192
  • 3
  • 2
  • 2
  • +3
6 Solutions
 
Loganathan NatarajanLAMP DeveloperCommented:
Can you explain what is to be done?
0
 
Loganathan NatarajanLAMP DeveloperCommented:
Working with "phpsession_id" is very specific with server and cookies. More details here, http://in3.php.net/manual/zh/session.idpassing.php
0
 
Dave BaldwinFixer of ProblemsCommented:
You can not transfer 'session_id' from one server to another and get any useful results.  'session_id' is intended to be unique and is also used to identify storage on the system that created the 'session_id'.  That storage and data does not exist on any other server.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Ray PaseurCommented:
Please step back from the technical details and just tell us what you want to do in business terms.  Maybe something like, "I want to share data from one server to another?"  If we understand what you're trying to achieve we may be able to suggest a commonly used design pattern.
0
 
rgb192Author Commented:
custom content management system where user logs in
I had a file that dumped session to text file

I was told that was a security risk because other users could see the text file and imitate session and 'bad user' can pretend to be 'bob'

Is this possible, if so how?
0
 
Ray PaseurCommented:
It may be possible, but if you're using the standard PHP session handler, the risk is very small.  If you're not using the standard PHP session handler, you would want to be able to explain why not.  A correctly configured PHP installation will not expose session data via a URL.

However if you're on a shared server, you may have some (very small) risk from other clients on the same machine.
0
 
jrm213jrm213Commented:
If you have a valid session id for a user, you can forge a cookie and depending on how the server is set up and what it checks, it may just think you are that user because it's server side session data is still valid. It's why you should always "log out" of systems instead of just closing the browser. Although you have to hope that as part of the logout script the site you are on destroys the session...

For example on your own machine if you are logged into a site and you close the browser, then re-open the browser soon thereafter and navigate back to the site, it will still say you are logged in. It "restored" your session based on the cookie and the session was still live on the server.

So it is definitely possible and it really isn't even very hard. Which is why you need to keep things like session id private.
0
 
Slick812Commented:
hello, , you say "I had a file that dumped session to text file", , This may NOT be a security risk, It all depends on what is in the "text file", that was in the session data, that is now in this text file. Obviously if the developer was stupid enough to have a plain-text Password in the session data, and the user name and the user Password (in plain-text) are in the "text file", then a BIG YES, It is a security risk!

as to a session ID in a "text file", this is in your browser cookie anyway, and is not usually considered much of a security risk, , HOWEVER, very knowledgeable coders may be able to take some advantage of it , in a Short Term way. BUT ALL of the phpsessionid are meant to be only ONE TIME use, SO YOU the developer, must avoid placing ANY passwords, security info, phpsessionid and other risks into a "text file".
persistent security data storage is best done into a MySQL update.
0
 
Ray PaseurCommented:
Some of the confusion about how the PHP session works is related to how browsers deal with the cookie jar.  The PHP session uses cookies, and cookies are sent to the browser and returned by the browser, so the contents of the cookie must be considered "tainted."

In this article...
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_11909-PHP-Sessions-Simpler-Than-You-May-Think.html
... look for The Fine Print
0
 
rgb192Author Commented:
Thanks for session information.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 3
  • 2
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now