Solved

copy of phpsessionid

Posted on 2014-03-24
10
135 Views
Last Modified: 2014-03-25
copy of phpsessionid

create a phpsession on one server
echo results

uncomment a line
that hardcode phpsession
and run this in another server to
echo same results
0
Comment
Question by:rgb192
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +3
10 Comments
 
LVL 36

Expert Comment

by:Loganathan Natarajan
ID: 39952337
Can you explain what is to be done?
0
 
LVL 36

Assisted Solution

by:Loganathan Natarajan
Loganathan Natarajan earned 83 total points
ID: 39952376
Working with "phpsession_id" is very specific with server and cookies. More details here, http://in3.php.net/manual/zh/session.idpassing.php
0
 
LVL 83

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 83 total points
ID: 39952495
You can not transfer 'session_id' from one server to another and get any useful results.  'session_id' is intended to be unique and is also used to identify storage on the system that created the 'session_id'.  That storage and data does not exist on any other server.
0
Revamp Your Training Process

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action.

 
LVL 110

Expert Comment

by:Ray Paseur
ID: 39953015
Please step back from the technical details and just tell us what you want to do in business terms.  Maybe something like, "I want to share data from one server to another?"  If we understand what you're trying to achieve we may be able to suggest a commonly used design pattern.
0
 

Author Comment

by:rgb192
ID: 39953901
custom content management system where user logs in
I had a file that dumped session to text file

I was told that was a security risk because other users could see the text file and imitate session and 'bad user' can pretend to be 'bob'

Is this possible, if so how?
0
 
LVL 110

Assisted Solution

by:Ray Paseur
Ray Paseur earned 167 total points
ID: 39954234
It may be possible, but if you're using the standard PHP session handler, the risk is very small.  If you're not using the standard PHP session handler, you would want to be able to explain why not.  A correctly configured PHP installation will not expose session data via a URL.

However if you're on a shared server, you may have some (very small) risk from other clients on the same machine.
0
 
LVL 17

Assisted Solution

by:jrm213jrm213
jrm213jrm213 earned 83 total points
ID: 39954345
If you have a valid session id for a user, you can forge a cookie and depending on how the server is set up and what it checks, it may just think you are that user because it's server side session data is still valid. It's why you should always "log out" of systems instead of just closing the browser. Although you have to hope that as part of the logout script the site you are on destroys the session...

For example on your own machine if you are logged into a site and you close the browser, then re-open the browser soon thereafter and navigate back to the site, it will still say you are logged in. It "restored" your session based on the cookie and the session was still live on the server.

So it is definitely possible and it really isn't even very hard. Which is why you need to keep things like session id private.
0
 
LVL 34

Assisted Solution

by:Slick812
Slick812 earned 84 total points
ID: 39954363
hello, , you say "I had a file that dumped session to text file", , This may NOT be a security risk, It all depends on what is in the "text file", that was in the session data, that is now in this text file. Obviously if the developer was stupid enough to have a plain-text Password in the session data, and the user name and the user Password (in plain-text) are in the "text file", then a BIG YES, It is a security risk!

as to a session ID in a "text file", this is in your browser cookie anyway, and is not usually considered much of a security risk, , HOWEVER, very knowledgeable coders may be able to take some advantage of it , in a Short Term way. BUT ALL of the phpsessionid are meant to be only ONE TIME use, SO YOU the developer, must avoid placing ANY passwords, security info, phpsessionid and other risks into a "text file".
persistent security data storage is best done into a MySQL update.
0
 
LVL 110

Accepted Solution

by:
Ray Paseur earned 167 total points
ID: 39954460
Some of the confusion about how the PHP session works is related to how browsers deal with the cookie jar.  The PHP session uses cookies, and cookies are sent to the browser and returned by the browser, so the contents of the cookie must be considered "tainted."

In this article...
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_11909-PHP-Sessions-Simpler-Than-You-May-Think.html
... look for The Fine Print
0
 

Author Closing Comment

by:rgb192
ID: 39954953
Thanks for session information.
0

Featured Post

SharePoint Admin?

Enable Your Employees To Focus On The Core With Intuitive Onscreen Guidance That is With You At The Moment of Need.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
deprecated mysql extensions 1 54
Form not executing correctly 1 28
Convert complicated date to yyyy-mm-dd format 22 50
Position image fpdf 4 18
This article discusses how to create an extensible mechanism for linked drop downs.
Introduction This article is intended for those who are new to PHP error handling (https://www.experts-exchange.com/articles/11769/And-by-the-way-I-am-New-to-PHP.html).  It addresses one of the most common problems that plague beginning PHP develop…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question