Session Propagation problem

s_iskenderian

Hi,

I'm currently running PHP version 4.0.1.p12 on Linux and I'm using PHPLIB for session management and user authentication. The application I'm working on allows the user to navigate between a few pages on the same webserver. It also allows the user to navigate to a page on other webservers. Now, that's where my problem starts!!

My background research on PHP session management as well as PHPLIB definitely increased my knowledge of PHP but still I can't get to the bottom of it.

Following a successful login the user can navigate around with no problems until the following link is selected.

The php code HREF that should navigate the user to the required page is:

$urlRef = "<A HREF=\"http://".$host."/finddevice.php4?address=".urlencode($curDevice["Address"]).$passStr."\" onMouseOver='window.status=\"".$in_devicePort." : ".$curDevice["Name"]." @ ".$host."\"; return true;' onMouseOut='window.status=\"\"; return true;'>";

This essentially is http://sandalbox.ap.thmulti.com/finddevice.php4?address=5SSH01+6+2&username=abc1&password=ABC

where 'abc1' is the username and 'ABC' is the password. 'address' is a device address.

I understand the problem with going between different webservers the session id may not be propagated even if we're sending the username and password across through the URL.

Whenever I click on the URL link above, the login form pops up and the user is requested to relogin a second time.

Following that the user has no problem navigating to any page. What's more intriguing is that, 'sandalbox' is the same computer where the user first logged in and not a different web server.

Right before selecting the URL link above the session id is valid ($sess->id), however, as expected when the user logs in a second time the session id becomes different. What's confusing is that if instead of relogging in I navigate back to the previous page and click on the same link (above), it successfully takes me to the required page with a DIFFERENT session id.

This seems to be a session id propagation problem but why on earth would the session id expire when I click on the link above?

Questions:

1) Is the session id SID implicitely passed through the different pages (I'm using session cookies) or must I append the SID to the url string above? (?SID)
2) Can I use the hidden_session() function to propage the session id between different webservers?
3) In the above link the username and password are visible in the URL field which doesn't look good for security. I need to implicitely pass the username and password. Should I be using POST here?
4) Which is better to use for session id propagation: cookies or URL?

I seem to be going in circles (a viscous one!). I would greatly appreciate any comments or suggestions.

In anticipation.

Kind regards,
Shiraz
Melbourne, Australia

mjr

Originally posted by s_iskenderian
Hi,
Questions:

1) Is the session id SID implicitely passed through the different pages (I'm using session cookies) or must I append the SID to the url string above? (?SID)
2) Can I use the hidden_session() function to propage the session id between different webservers?
3) In the above link the username and password are visible in the URL field which doesn't look good for security. I need to implicitely pass the username and password. Should I be using POST here?
4) Which is better to use for session id propagation: cookies or URL?

1. php session functions allow to identify iser on all pages of a site automatically. so `?SID' appending is not required
3. yes. post is the best method (e.g you may add onclick handler to submit hidden "post" form).
4. url is the best choice - users turn cookies off to often 🙁

s_iskenderian

Given that I was trying to access an absolute URL,
http://sandalbox.ap.thmulti.com/fin...c1&password=ABC

PHPLIB thinks its an external request, so it automatically pops up the Login page. I had to put a check in this section to only use the absolute path if going to other webservers

Shiraz