Does anyone know specifically how the system keeps session ids unique?
I've read some online documentation but can't find a good explanation.
I am concerned that if it relies on the remoteIP address, then two users from the same workstation could gain access to my PHP application, even though each on logged into the workstation's operating system under different ids. I know that Windows keeps cookies unique to a user, by I want to avoid using cookies if possible.
Any help?
Thank,
Steve
The system keeps session id's unique by keeping them completely random through numerous ways (on unix, /dev/random or /dev/urandom etc). Your concern about workstations is confusing -???- if you mean someone logs onto your application and then closes the browser and logs out, and then someone else logs on to use the same PC, that is of no concern. The session ID (by default) is set to be non-persistant cookie, so when the browser window is closed it is deleted. You can even set up php to include the session Id in the URL so it wouldn't make a difference, unless the person who logged on stood up and just walked out while still logged in. But you'd have the same problem with any application. Hope that helps!
Chris King
Thanks for the explanation. My main concern about the workstation that I forgot to mention is in regard to shared network connections like NAT and proxies.
I know that HTTP is able to distinguish all clients in these shared connections, but want to understand how PHP sessions handle them.
Steve