I'm looking for some well thought out advice on session management. I've created a class for handling session management across an unlimited number of domains (without using cookies) however it has some inherent problems. In order to differentiate between users, it is using the IP Address. I realize this is completely inefficient, and I was hoping that someone could give me some pointers on how exactly PHP handles session management from the backend. When not using cookies, PHP propagates the Session ID in the URL and a hidden variable in forms. However, is this even safe? Or is this completely blind faith that the Session belongs to that person?
Basically, I want to know if PHP *knows for sure* the right user is using the right session. In other words, can it detect hijacked sessions? My guess is a resounding no. I'm wondering if there is some way to determine the real IP Address of a user, even if that user is behind a proxy farm, etc., and if this is, in fact, what PHP does. If not, I'm stuck with figuring out how best to accomplish my goals using cookies. The problem: a cookie can only bet set for a single domain; therefore, the session will not be carried with the person if they browse to another domain which also uses the same eNetwizard Content Management Server. A possibility is to always propagate a State Id with the URL and forms, however even this would not prevent the exact same problem: Is this blind faith? If you can point me to any excellent resources on the state of session management on the web and how to do this securely, please let me know. -Samuel | http://enetwizard.net -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
