NYCPHP Meetup

[nycphp-talk] Testing session authentication - multiple apps

csnyder chsnyder at gmail.com
Thu Feb 23 15:29:53 EST 2006


On 2/23/06, Aaron Fischer <agfische at email.smith.edu> wrote:
> Or perhaps I'm not missing anything and
> I need to uniquely identify each session using session_name() or use
> different session authentication vars in each app (e.g.
> $_SESSION['postcard_auth'] = true; in one, $_SESSION['dbmanage_auth'] =
> true; in another, etc.).


Bingo. session_name() called before session_start() will set the name
of the cookie used by PHP to track the session. If you have different
apps in the same domain name that can't share a session, then you can
give them each a unique cookie name.

Paranoid security note -- each app will be able to see the session ids
that are in use by the other applications, and could pull an "inside
job" to get the values associated with those other sessions, or send
spoofed requests to the other apps. If you want zero information
leakage you need to put the apps on separate domains.


--
Chris Snyder
http://chxo.com/


More information about the talk mailing list