These were all the same assumptions I made, thanks. I knew that it was more of an "HTTP" thing than a "PHP" thing when it came to the "blind faith" thing... I was just hoping that was something "better out there." I'm not willing to use session management as blindly as it is currently implemented. I will find my own solution.
-----Original Message----- From: John W. Holmes [mailto:holmes072000@;charter.net] Sent: Saturday, November 02, 2002 7:42 AM To: 'Robert Samuel White'; [EMAIL PROTECTED] Subject: RE: [PHP] Session Management > I've created a class for handling session management across an unlimited > number of domains (without using cookies) however it has some inherent > problems. In order to differentiate between users, it is using the IP > Address. I realize this is completely inefficient, and I was hoping > that someone could give me some pointers on how exactly PHP handles > session management from the backend. When not using cookies, PHP > propagates the Session ID in the URL and a hidden variable in forms. > However, is this even safe? Or is this completely blind faith that the > Session belongs to that person? It's blind faith, just like every other system. That's the nature of HTTP. PHP makes a "unique" session id that it passes around to identify the user and link all of the requests. > Basically, I want to know if PHP *knows for sure* the right user is > using the right session. In other words, can it detect hijacked > sessions? My guess is a resounding no. No...and neither can any program you write that uses HTTP. The only thing you can do is make it unique enough so that it can't be hijacked. > I'm wondering if there is some way to determine the real IP Address of a > user, even if that user is behind a proxy farm, etc., and if this is, in > fact, what PHP does. No. The PHP session management isn't related to IP at all, that I know of. It shouldn't have to be because of the problem with proxies and people having changing IPs or people sharing IP addresses. > If not, I'm stuck with figuring out how best to accomplish my goals > using cookies. The problem: a cookie can only bet set for a single > domain; therefore, the session will not be carried with the person if > they browse to another domain which also uses the same eNetwizard > Content Management Server. A possibility is to always propagate a State > Id with the URL and forms, however even this would not prevent the exact > same problem: Is this blind faith? If you want the session to maintain over different domains, your only option is to pass the unique id in the URL or POST data. It's just as safe as cookies, but, like you said, you can't pass cookies across domains. Put everything behind SSL and that's as secure as you can get. Hopefully I'm not too confusing. Feel free to ask more questions. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php