[nycphp-talk] Experts help needed (Sessions)
Joseph Crawford
codebowl at gmail.com
Tue Aug 2 13:28:52 EDT 2005
Thanks,
I just submitted an order for this book hopefully it will help me with this
stuff ;)
Anyone here that can explain why this is happening?
with the current session class found below this is the issue
when the CheckSession method is called it compares the IP addresses from
when the session first started and the current IP address. X.X.X.* (I am
also trying to think of a non ip way to compare) it has no problems finding
that it is a hijacked session, however when i call the destroy method (also
tried session_unset(); session_destroy(); and get the same results) it
deletes the hijacked session so the session_destroy() works. What it is
doing (side effect of my coding i think) is keeping all the session info
such as $this->_page, $this->_browser, $this->_ses_id, etc... and just
inserting a new record with your IP etc.. but the $_SESSION info is retained
so you still in essence get the hijacked data. Also session_destroy()
whatever is happening after that allows you to keep the same session_id as
the hijacked session, so when you look in the db all that changes really is
the users IP address.
you can only see the results if you have DB access to change the IP in your
session record or you have 2 machines with different ip addresses.
--
Joseph Crawford Jr.
Codebowl Solutions, Inc.
1-802-671-2021
codebowl at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050802/dd72f117/attachment.html>
More information about the talk
mailing list