a question about sessions

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
itsmani1
Forum Regular
Posts: 791
Joined: Mon Sep 29, 2003 2:26 am
Location: Islamabad Pakistan
Contact:

a question about sessions

Post by itsmani1 »

hello every one.....


this a general knowledge question !

For example there is a page where you are using sessions of php and the page has 20,000 users at the same time. what type of issues developer can face? the basic purpose of this question is:

is there any thing that depends on your coding or you can say the way you are handling your sessions.

any type of answer, comment or question will be welcomed.


thanx.
Abdul Mannan.
User avatar
shiznatix
DevNet Master
Posts: 2745
Joined: Tue Dec 28, 2004 5:57 pm
Location: Tallinn, Estonia
Contact:

Post by shiznatix »

each user is going to get a seperate session id and that is going to be their session file on the server and will be unique. there are ways for a user to "steal" someone elses session but I don't think its possible for a php script to have a session id collision
User avatar
itsmani1
Forum Regular
Posts: 791
Joined: Mon Sep 29, 2003 2:26 am
Location: Islamabad Pakistan
Contact:

Post by itsmani1 »

any guess or hint about stealing session of some one else.

i mean how can some one steal session of other user?

thanx.
Mannan.
User avatar
php3ch0
Forum Contributor
Posts: 212
Joined: Sun Nov 13, 2005 7:35 am
Location: Folkestone, Kent, UK

Post by php3ch0 »

You can steal a session cookie from the users computer or the log on a proxy server. It would then be a case of moving this into the correct directory and using this cookie to access the website.

To make sure your sessions are secure set the remote address in the cookie and check it using this code:

Code: Select all

session_start(); 

$session_vars = array($_SERVER['REMOTE_ADDR'], $_SERVER['HTTP_USER_AGENT']); 

$_SESSION['valid'] = $session_vars; 

function session_check() 
{ 
    if ($session_vars[0] != $_SERVER['REMOTE_ADDR'] || $session_vars[1] != $_SERVER['HTTP_USER_AGENT']) 
    { 
        echo('Go hack someone else'); 
        exit(); 
    } 
}
Post Reply