It's called Session Hijacking. And that is the normal behaviour.
Since you are supplying the session id it still thinks you are on the same session until it has expired. (expiry time set in php.ini) Mike *********** REPLY SEPARATOR *********** On 02/01/2003 at 12:48 PM scott wrote: >hi > >I'm running PHP 4.2.3 as module with Apache 1.3.26 on OpenBSD 3.2 with the >chroot turned off (as it stopped the php_mail() funtion working, but if >anyone has the fix for that I will re-implement the jail again :o) > >I'm having some problems with sessions. I am not using cookies, as many >people don't allow them to be set > >The main page starts a session, takes username and password, and if they >are >ok, it registers the users id from the db as a session variable using the >$_SESSION['user_id'] = $user_id > >it then does a header redirect to another page, which at the moment for >testing just displays the SID and all $_SESSION[vars] > >as the SID is being passed in the url, I am able to copy the http://url?SID >from the browser window > >if I close the browser (which from reading the docs on sessions should end >the session) and then re-open another browser (admittedly on the same >machine/ip address) and post the http://url?SID back in, I get the page, >and >the $SESSION[vars] are still there !! > >it is reading them back out of the files in /tmp (if I edit these directly >and paste the url?SID in, I get the new values I mannually put in !) > > :o( is there a official/approved method to prevent this from being done ? > >thankyou > >_scott > > > >-- >PHP General Mailing List (http://www.php.net/) >To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
