I am quite aware that IP's are not the way to go, and why. That is why I asked about the internal ways PHP handles sessions. Thanks.
Creating a "jump page" as you call it does not answer the fundamental question concerning the security of session management, and that is the basis of what I want to discuss. -----Original Message----- From: Jonathan Sharp [mailto:js-lists@;sharpmedia.net] Sent: Saturday, November 02, 2002 3:16 AM To: Robert Samuel White Cc: [EMAIL PROTECTED] Subject: Re: [PHP] Session Management first off: IP addresses are not the way to go about this AT ALL. Even if they are behind a proxy, they would most likely be running on a private subnet (say 10.0.0.x) and worse yet, if a company has multiple backbones (like the one I consult at) traffic could go through one of 3 gateway routes (different IP's) and thus i'd end up with 1 of three sessions!? Also i could just go through and guess id's since they're a relatively "small" set. (Easily scripted to probe for sessions) Creating a 'jump' page is your best bet to cross domains and pass the session id in the url, and then set the id for that domain. There should not be any issues if they use the same session store, etc. As for the internals of php's sessions, I'll leave someone else to answer that. -js Robert Samuel White wrote: > I'm looking for some well thought out advice on session management. > > I've created a class for handling session management across an unlimited > number of domains (without using cookies) however it has some inherent > problems. In order to differentiate between users, it is using the IP > Address. I realize this is completely inefficient, and I was hoping > that someone could give me some pointers on how exactly PHP handles > session management from the backend. When not using cookies, PHP > propagates the Session ID in the URL and a hidden variable in forms. > However, is this even safe? Or is this completely blind faith that the > Session belongs to that person? > > Basically, I want to know if PHP *knows for sure* the right user is > using the right session. In other words, can it detect hijacked > sessions? My guess is a resounding no. > > I'm wondering if there is some way to determine the real IP Address of a > user, even if that user is behind a proxy farm, etc., and if this is, in > fact, what PHP does. > > If not, I'm stuck with figuring out how best to accomplish my goals > using cookies. The problem: a cookie can only bet set for a single > domain; therefore, the session will not be carried with the person if > they browse to another domain which also uses the same eNetwizard > Content Management Server. A possibility is to always propagate a State > Id with the URL and forms, however even this would not prevent the exact > same problem: Is this blind faith? > > If you can point me to any excellent resources on the state of session > management on the web and how to do this securely, please let me know. > > -Samuel | http://enetwizard.net > > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
