PHP session persistence Different PHP applications, Same host server

exception or error:

I’m, not sure if this is a common use-case, but I’m a normal kind of guy, so I can’t believe this is unusual:

I have a server running a LAMP stack. There are a few PHP applications on the server. I spotted the other day that two completely different apps are sharing session information. WTF?! I get that they do, but why? they trust the server, but why does the server assume that the two apps trust each other?

okay: #1 fix is for one or both use session_name(). That’s superb and it does fix the issue if either or both of them do this and neither tries to get the others session by setting the name, but is there a fix where both apps are hostile to each other? Is there something at the PHP level that can make the sessions independent, regardless of anything the apps might try to do?

Essentially nothing that
https://www.server.com/app1/index.php does should get access to session info of
https://www.server.com/app2/index.php etc…..

I thought that setting the path using session_set_cookie_params() would sort this out, but naah, setting this variable to a limited path actually has no obvious effect which is interesting – both apps #can still get to the session stuff or the other – interesting!

I can’t believe this is a new issue and yet I don’t spot a fix….

Cheers,

turbotas

Example code:

<?php
session_set_cookie_params(3600,"/webapps/test1");
session_name("mysession");
session_start(); ?>
<html>
<head>
</head>
<body>
<?php echo session_id(); ?>
</body>
</html>

imagine this code in webapps/test1 and exactly the same in webapps/test2. I would not expect test2 to be able to use the test1 session state simply by stating a directory outside it’s own installation point – I would expect PHP to protect against that. It doesn’t – I get the same session.

How to solve:

As you’re coding the different applications, you need to make sure that each one saves its session-information (server side) in different places. The session.save_path configuration variable, for instance, specifies the host-side directory if you are saving the sessions using files. If you’re storing the session information in a database table, you should be using different tables or more likely different databases.

Thus, even if an identical session identifier is somehow produced, it will produce different results for each application because each one is referencing its own distinct host-side source.

Leave a Reply

Your email address will not be published. Required fields are marked *