PHP sessions getting "hacked" into?

[sh0wtym3]

... Accidentally "hacked".

 

 

I built this tool for my job, and it used by me and some workers in another office in California (I'm in Florida). The tool saves session variables for data manipulation but I won't go into too much details.

 

Basically users can submit a form with data and it gets manipulated and produces output.

 

On my form I had submitted "Miami" and "Florida" for city and state, so the session variables would have been set using:

$_SESSION['city'] = "Miami";
$_SESSION['state'] = "Florida;

 

However, a coworker in California, submitted "Mount Holly" and "New Jersey" on the form - but on the output screen the city and state showed as "Miami" and "Florida" ???

 

It's like somehow her session picked up my session variables? Sorry if this sounds confusing I'm trying to explain best I can.

 

Do you know how I can fix something like this from happening again? This is the first time I've heard of this happening. I've added this:

session_regenerate_id();

 

... after session_start(); to see if maybe that would help.

 

 

My guess is that somehow the session ID that was generated for her was the exact same as mine or something, and the data crossed over. Just guessing, I'm still newbie to PHP

 

Thanks in advance

[.josh]

probably a stupid question, but I assume when you say you have this:

 

$_SESSION['city'] = "Miami";
$_SESSION['state'] = "Florida;

 

you really have something more like this, right?

 

$_SESSION['city'] = $_POST['city'];
$_SESSION['state'] = $_POST['state'];

 

because if you have the former...well you are using hardcoded values...

[akitchin]

did they input the form after being linked to the site by you? if so, it could be that you passed them a link to the site with the session ID in it, in which case they'd assume the session you were carrying.