Any body got this doubt ....!

Discussion in 'PHP' started by strgraphics, Jun 17, 2010.

0
  1. #1
    Nothng yar.., as i new to php it seems that it is the good question that's why i am asking..!
    if it simple dont think bad.

    My question is: ( please read slowly )

    website 1: www.xxxxxxx.com using $_SESSION['userid'] and $_SESSION['password']
    and the user is loging and worked on that, and after some time he opened

    www.yyyyyyy.com, it also having... $_SESSION['userid'] and $_SESSION['password'] ,

    my doubt is.., is $_SESSION['userid'] of xxxxxxxx.com will replaced with yyyyyyy.com.

    or what...?

    if so we can access xxxxxxxxx.com pages if we unset the session variables... too.. with the yyyyyy.com sessions varialbes...!
     
    strgraphics, Jun 17, 2010 IP
  2. Cozmic

    Cozmic Member

    Messages:
    146
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    48
    #2
    there would only be any interaction with the session variables if they were on the same server. If xxxxxxx.com and yyyyyy.com are on different servers, there would be no difference at all. Or at least as I understand it. It may be based on the domain or hosting account. But rest assured that two sites will almost never have problems with similarly named cookies/sessions.
     
    Cozmic, Jun 17, 2010 IP
  3. strgraphics

    strgraphics Active Member

    Messages:
    710
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    53
    #3
    This morning i tested.., in my server. My domain name have 5 pages excluding login page..,
    all are started with

    
<?php

session_start();
if (!empty($_SESSION['pass'])) // he got it.
{

?>
    PHP:
    AND MY LOG OUT SCRIPT IS: 

    

session_start();
unset($_SESSION['pass']);
    PHP:

    if i logout all sessions are expired and pages also not opening..., but you know guys
    then i created a.php with content

    

<?php

session_start();
$a="siva";

$_SESSION['pass'] = "$a";
echo "YOU CAN ACCESS ";

?>
    PHP:
    Now i can access the previous domain pages.... with out login..... ohhhhhhhhhh...

    how can i provide security...!
     
    strgraphics, Jun 17, 2010 IP
  4. Cozmic

    Cozmic Member

    Messages:
    146
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    48
    #4
    Sorry7, but I don't have any idea what you're getting at. Where is a.php located relative to the other files? The same domain?
     
    Cozmic, Jun 17, 2010 IP
  5. strgraphics

    strgraphics Active Member

    Messages:
    710
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    53
    #5
    ya in the same domain and same folder...., just like with my domain files..!
     
    strgraphics, Jun 18, 2010 IP
  6. Cozmic

    Cozmic Member

    Messages:
    146
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    48
    #6
    Well, then isn't that exactly the same as a login script, except without requiring password input?
     
    Cozmic, Jun 18, 2010 IP
  7. jestep

    jestep Prominent Member

    Messages:
    3,659
    Likes Received:
    215
    Best Answers:
    19
    Trophy Points:
    330
    #7
    Session data is stored in a temp folder on the server, or can be configured to be stores in a database. Make sure you have separate session storage locations for each domain. I have never seen this before, but I am assuming that by using the same storage location, you are inadvertently creating multi-site sessions. This is definitely a security problem and should be corrected.

    http://www.php.net/manual/en/function.session-save-path.php
     
    jestep, Jun 18, 2010 IP