> > How about that we use the SERVER_NAME environment variable when > > generating session filenames? Instead of name like sess_XXXX, the name > > could be sess_YYYY_XXXX, where YYYY is a server fingerprint? I > > understand that this is not foolproof (say, for applications > > that run on the same domain name) but it will solve the most > > serious cases (shared hosting solutions). > > -1 for this because it destroys php functionality. it makes it impossible to > have multiple domains with the same sessions f.e. > www1.myserver.com > www2.myserver.com > news.myserver.com > archive.myserver.com
In order to make the above work you need to put a lot of effort. Cookies sent to www1.myserver.com will not arrive to www2.myserver.com. With the default configuration, a user visiting one server and then the other will create two different sessions. You need to manually tweak session.cookie_domain to make it work. Also, URL rewriting does not work on absolute URLs, and you would have to manually append the SID to the URL to make the session span two different domains. I am saying that with a lot of work required to make the above work, one extra configuration option will not make an impact, and it would certainly be worth the increased default security. Such people can simply override the session.save_path value, and if they do that, we can turn this additional feature off (knowing that they know what they're doing). This will secure the default configuration and yet make things work for people who want to use sessions over several domains. We can make this "on" by default but also allow it to be turned off it case it creates problems for someone. -- Ivan Ristic, [EMAIL PROTECTED] [ Weblog on PHP, Software development, Intranets, and Knowledge Management: http://www.webkreator.com ] -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
