PHP Session Question

[gazalec]

I was just wondering if a session is restricted to one website, because i am building a site and it basically says if $_SESSION = '' display this else display something else, i was just wondering could someone then make up a simple for that assigns something to a session with the same name as mine and the redirect to the site i am making with the session they have made?

[gazalec]

bump

[jitesh]

Are you sure

 

if ($_SESSION = '' )

 

Basic syntax is

 

if ($_SESSION == '')

[gazalec]

no sorry i was just saying this quickly to get the point across,

 

when i user first enters the site they are assigned the session id of guest

 

$_SESSION['user'] = 'guest';

 

and when they login their customer number is then the session id

 

$_SESSION['user'] = $customer;

 

but when a page is loaded it would display something like

 

if($_SESSION['user'] == 'guest'){

echo "Login";

elseif($_SESSION['user'] != 'guest'){

echo "Customer details such as Previous Orders etc.";

}

 

I was just wondering if someone could set up a form which had a username, and then sent that to a php file which assigns that username to the session e.g.

 

$_SESSION['user'] = $username;

 

if they where then directed to my website, would that allow them access?

 

$_SESSION['user'] = $username;

header("Location:http://www.mysite.com");

 

[jitesh]

I don't think this should not work. just try

 

if(isset($_SESSION['user']) and $_SESSION['user'] == 'guest')

        echo "Login";

else

        echo "Customer details such as Previous Orders etc.";

 

 

 

Take care that each page has session_start();

[gazalec]

What? everything works... i was just wondering about the security issues behind it. Could someone set up a form which assigns there input to a session and then access my site and use the session created on their form to access customer menus on my site?

[jitesh]

For Firefox:

 

Do some task with session

save some data in session

open new instance for firefox.

now copy url from one instance to another.you will found auto set this session to another instance of fire fox.

If this is not risky for your application then do not worry about security with session.

this will not happen in IE.

[gazalec]

but that is someone loggin in then closing the browser and re-opening it, i mean for someone who wants to hack the website, if they were to create a session, which would technically be valid on my site if they where then to re direct to my site would this information be carried on or would it be destroyed since it is going to a new url?

[TreeNode]

The session and its data is tied to the URL

[per1os]

I was just wondering if a session is restricted to one website, because i am building a site and it basically says if $_SESSION = '' display this else display something else, i was just wondering could someone then make up a simple for that assigns something to a session with the same name as mine and the redirect to the site i am making with the session they have made?

 

I have to ask, are you making sure that session_start() is at the top of each page you are trying to use sessions on?

[calabiyau]

they would need to get their hands on the session id.  as far as I know the variables stored in the session array are actually stored on the server itself and only the session id is stored as a cookie on the user's computer.  but using various tactics someone can get their hands on the session id itself and then it can be as easy as appending ?PHPSESSID=1342314213 to the url and they can access the user's session.  that's how i currently understand it at least but i stand to be corrected.