copy of phpsessionid

copy of phpsessionid

create a phpsession on one server
echo results

uncomment a line
that hardcode phpsession
and run this in another server to
echo same results
Who is Participating?
Ray PaseurConnect With a Mentor Commented:
Some of the confusion about how the PHP session works is related to how browsers deal with the cookie jar.  The PHP session uses cookies, and cookies are sent to the browser and returned by the browser, so the contents of the cookie must be considered "tainted."

In this article...
... look for The Fine Print
Loganathan NatarajanLAMP DeveloperCommented:
Can you explain what is to be done?
Loganathan NatarajanConnect With a Mentor LAMP DeveloperCommented:
Working with "phpsession_id" is very specific with server and cookies. More details here,
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Dave BaldwinConnect With a Mentor Fixer of ProblemsCommented:
You can not transfer 'session_id' from one server to another and get any useful results.  'session_id' is intended to be unique and is also used to identify storage on the system that created the 'session_id'.  That storage and data does not exist on any other server.
Ray PaseurCommented:
Please step back from the technical details and just tell us what you want to do in business terms.  Maybe something like, "I want to share data from one server to another?"  If we understand what you're trying to achieve we may be able to suggest a commonly used design pattern.
rgb192Author Commented:
custom content management system where user logs in
I had a file that dumped session to text file

I was told that was a security risk because other users could see the text file and imitate session and 'bad user' can pretend to be 'bob'

Is this possible, if so how?
Ray PaseurConnect With a Mentor Commented:
It may be possible, but if you're using the standard PHP session handler, the risk is very small.  If you're not using the standard PHP session handler, you would want to be able to explain why not.  A correctly configured PHP installation will not expose session data via a URL.

However if you're on a shared server, you may have some (very small) risk from other clients on the same machine.
jrm213jrm213Connect With a Mentor Commented:
If you have a valid session id for a user, you can forge a cookie and depending on how the server is set up and what it checks, it may just think you are that user because it's server side session data is still valid. It's why you should always "log out" of systems instead of just closing the browser. Although you have to hope that as part of the logout script the site you are on destroys the session...

For example on your own machine if you are logged into a site and you close the browser, then re-open the browser soon thereafter and navigate back to the site, it will still say you are logged in. It "restored" your session based on the cookie and the session was still live on the server.

So it is definitely possible and it really isn't even very hard. Which is why you need to keep things like session id private.
Slick812Connect With a Mentor Commented:
hello, , you say "I had a file that dumped session to text file", , This may NOT be a security risk, It all depends on what is in the "text file", that was in the session data, that is now in this text file. Obviously if the developer was stupid enough to have a plain-text Password in the session data, and the user name and the user Password (in plain-text) are in the "text file", then a BIG YES, It is a security risk!

as to a session ID in a "text file", this is in your browser cookie anyway, and is not usually considered much of a security risk, , HOWEVER, very knowledgeable coders may be able to take some advantage of it , in a Short Term way. BUT ALL of the phpsessionid are meant to be only ONE TIME use, SO YOU the developer, must avoid placing ANY passwords, security info, phpsessionid and other risks into a "text file".
persistent security data storage is best done into a MySQL update.
rgb192Author Commented:
Thanks for session information.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.