--- Tim Traver <[EMAIL PROTECTED]> wrote: > I sent a new session ID with the link to the new window like this : > > <a href="?PHPSESSID=123456789" target="_blank"> > > but all it does is change the current session id to the new one, so if > I go back to the main window, it carries the new session into it.
Yeah, you're only using one browser, so you can only have one set of cookies. To do this, you can't rely on cookies at all, which can be a hassle. Otherwise, the session identifier will always be the most recent one used, because that's what the cookie will reflect (unless you add some logic to do otherwise). I still think it might be better to approach this with programming logic. As I said, this strategy will work, but it's ugly. > The reason I'm doing the access control through sessions is so that I > don't have to pass any info in URL's and re-authenticate a user every > time they hit a page. We're only talking about propagating the session identifier on the URL. This has nothing to do with authentication and everything to do with identification. > By saving that information locally in session variables, none of that > info gets out, and no one can spoof it. Yikes, that's a lot of misinformation in one sentence! Cookies are saved locally, and they can make session identifier propagation seem transparent for both the user and the developer. However, just as with URL data, cookies are just something sent along in the request, so they're being provided by the client. So, this information most definitely "gets out". Sessions are not stored locally; they are stored on the server. It is very important that you understand this, in fact, if you want to implement secure session management. You should leverage this fact to strengthen your mechanism. Lastly, anyone can spoof this. The session identifier has to be provided by the client, but a secure session mechanism will treat it with some skepticism. Nothing from the client should ever be blindly trusted, which is what I interpret "no one can spoof it" to be suggesting. I have an article that elaborates much more on this topic that you can read for free: http://shiflett.org/articles/the-truth-about-sessions Hope that helps. Chris ===== Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming mid-2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
