Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
Hi.
I have a site which uses php / mysql to transact user data. The user logs in, chooses some option, this is saved to his/her account (mysql db). What is sometimes happening is:
User A logs in.
Cookie is set for User A.
User B visits site, and appears to be logged in as User A! (Or any random other user) Although - there is no cookie. I cannot always reproduce this and can only imagine that the html displayed to User B is some cached data.
Anybody ever experience this before?
Any help much appreciated ..
No sessions, simple website which stores data chosen by users. User A logs on. Database is queried for user matching this username / password combination. On success, a cookie is written containing user_id, username, etc. This cookie can be verified to exist and expires at end of session.
User B visits site (not logged in) and is presented with User A's welcome message, and other data. (eg: "Welcome, UserA. You have 12 points"). There is no cookie. I have managed to re-create this intermittently and upon refresh, sometimes the user I appear to be changes! I have no idea what's causing this. I thought it could have something to do with using the global keyword in functions, but have removed usage of these and still no success. I'm running Apache 2 with php 5.1.6 on Red Hat Linux (Not sure of version, but fairly recent) Does Apache 2 cache results of PHP scripts, by any chance?
As I say - any help very much appreciated .. Confusedly,
nialler
Posting code won't help at all and would just take up space in the forum. It works as explained - the question I am asking is: has anyone ever heard of a php page being cached on the server?
Ok - SO I suppose this is a fairly unique problem and nobody has encountered it. I just discovered that the site is behind a load balancer, despite the fact that it is running on only one box .. Anybody know if this could be an issue?
nialler
SO I suppose this is a fairly unique problem and nobody has encountered it
Actually its a pretty common problem - people come here all the time and ask for help, but aren't willing to divulge much information. If you explained more clearly and in greater detail what exactly do you need, you will find people here to be much more cooperative. And if they ask you to post code, please do so.