Multiple sessions, concurrently

Anon

This problem popped up when somebody who is using my BBS software set up two concurrent instances of the program, working off different databases, on the same machine.

Session variables from one instance "leaked" into another. This created a security hole: If somebody logged into one instance as user ID #3, then changed the URL to point to the other instance of the software, he/she "became" user ID #3 of that database -- even though it might be a different person.

session_name() appears to provide a way to prevent this. I changed my code so that every page calls this:

session_name($db);

... where $db is the name of the database.

Does anybody have enough experience with sessions to verify that this will prevent this problem from occurring again?

Anon

Does your code send the sessionID properly?either through cookies or url?

Anon

Through cookies. Other than the unwanted "crosstalk" between applications, sessions are working fine.

I wound up taking a belt-and-suspenders approach. I am now (a) setting a session name that is unique to the application instance, and (b) md5() encrypting user IDs with a key that concatenates the hostname, and path to the application with a passphrase that the system operator is supposed to set.

That should cover the bases for people who install the software and neglect to read and follow the configuration instructions. :-)

Anon

Hi there. I have a similar problem at the moment. I need to differentiate possible multiple instances of the same applicaiton on one machine. Presently using Session variables...

I have tried all sorts of things, including changing the window name upon startup (with Javascript) to the user's ID. This is fine, but it means excessive 'refreshing' to get the variable through a server side script, as I can't connect to the database using the client side javascript variable.

Any news on an alternate solution would be great! I'm working on it...