473,545 Members | 4,850 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

sessions and domain names

Hi all. I've got an app that dumps a user id into a session after
successful login. the login page is http://www.mydomain.com/login.php.

If the user visits pages on my site without the www (i.e.,
http://mydomain.com/foo.php), the session works fine and login state is
maintained.

If he visits http://www.mydomain.com/foo.php, the app drops the
logged-in state.

Any idea how to fix this? I'm running php 4.4.1 w/ linux apache.

Oct 26 '06 #1
22 3140
"magic_hat60622 " <ma************ @yahoo.comwrote in message
news:11******** *************@i 3g2000cwc.googl egroups.com...
Hi all. I've got an app that dumps a user id into a session after
successful login. the login page is http://www.mydomain.com/login.php.

If the user visits pages on my site without the www (i.e.,
http://mydomain.com/foo.php), the session works fine and login state is
maintained.

If he visits http://www.mydomain.com/foo.php, the app drops the
logged-in state.

Any idea how to fix this? I'm running php 4.4.1 w/ linux apache.

Sessions are per domain. For www.mydomain.com there is one session, and for
mydomain.com there is another. Redirect all users from www.mydomain.com to
mydomain.com or vice versa. Make sure the domain is always the same. so that
it doesn't change on the way. That way they will always use the same
session.

--
"Ohjelmoija on organismi joka muuttaa kofeiinia koodiksi" - lpk
http://outolempi.net/ahdistus/ - Satunnaisesti päivittyvä nettisarjis
sp**@outolempi. net | rot13(xv***@bhg byrzcv.arg)
Oct 27 '06 #2
In article <6a************ *****@reader1.n ews.jippii.net> ,
sp**@outolempi. net says...
Sessions are per domain. For www.mydomain.com there is one session, and for
mydomain.com there is anothe
A session is supposed to be a session with a particular host.

Actually PHP uses host names for sessions if you look in PHPSESSID but it
puts the domain name in by mistake. Hence his problem.

Now that all "domains" are being registered both with AND without the
particular service name (WWW FTP etc) - IE as host names - this is going
to be a big problem for PHP if it isn't sorted real soon.

You can see historically why the bug hasn't mattered but things have
changed in the domain registration business and now it matters a great
deal.

I'm suprised it hasn't been reported more generally. I've seen reports on
ecommerce web sites about mysterious failures, I wouldn't be at all
suprised if this wasn't connected.
Oct 27 '06 #3
re****@otherlip s.com wrote:
In article <6a************ *****@reader1.n ews.jippii.net> ,
sp**@outolempi. net says...
>>Sessions are per domain. For www.mydomain.com there is one session, and for
mydomain.co m there is anothe


A session is supposed to be a session with a particular host.

Actually PHP uses host names for sessions if you look in PHPSESSID but it
puts the domain name in by mistake. Hence his problem.

Now that all "domains" are being registered both with AND without the
particular service name (WWW FTP etc) - IE as host names - this is going
to be a big problem for PHP if it isn't sorted real soon.

You can see historically why the bug hasn't mattered but things have
changed in the domain registration business and now it matters a great
deal.

I'm suprised it hasn't been reported more generally. I've seen reports on
ecommerce web sites about mysterious failures, I wouldn't be at all
suprised if this wasn't connected.
example.com and www.example.com are, by definition, two different hosts.
The fact they resolve to the same physical server is immaterial. PHP
is 100% correct in its operation.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attgl obal.net
=============== ===
Oct 27 '06 #4
In article <W_************ *************** ***@comcast.com >,
js*******@attgl obal.net says...
>
example.com and www.example.com are, by definition, two different hosts.
The fact they resolve to the same physical server is immaterial. PHP
is 100% correct in its operation.
No

example.com and www.example.com are the same host by both fact and hence
definition. It is the domain being addressed not necessarily a physical
machine I agree. However...

The fact is that using www. as a prefix to a domain in order to
address a web server on that host may not be formal syntax but it is
formal by dint of common usage. Common usage for some time has been to
address the same host in either manner. Anyone reserving a domain today
will have both assigned and resolved as the same address making them
interchangable.

It is PHP that calls this a host and then provides 2 different answers as
to what that host is called during the same connection. The fact that it
comes up with 2 different answers to the same question during the same
connection should be telling you something?

That is a bug. And as big as a bug can get.

This makes PHP very much incorrect.

This is how the internet works. PHP needs to address this.PHP cannot
generate reliable sessions for all users until such time as this is
fixed.
In the mean time how about telling him how to avoid the bug?
Oct 30 '06 #5
On 26 Oct 2006 16:54:04 -0700, "magic_hat60622 " <ma************ @yahoo.com>
wrote:
>Hi all. I've got an app that dumps a user id into a session after
successful login. the login page is http://www.mydomain.com/login.php.

If the user visits pages on my site without the www (i.e.,
http://mydomain.com/foo.php), the session works fine and login state is
maintained.

If he visits http://www.mydomain.com/foo.php, the app drops the
logged-in state.

Any idea how to fix this? I'm running php 4.4.1 w/ linux apache.
If you want to force the session cookie to apply to a wider scope, i.e. to
apply for the mydomain.com domain instead of just the host that issued it, then
you can use session_set_coo kie_params to set the domain.

This may cause problems if you have other subdomains aside from the "www" one,
unless you really do want sessions shared across all of them.

--
Andy Hassall :: an**@andyh.co.u k :: http://www.andyh.co.uk
http://www.andyhsoftware.co.uk/space :: disk and FTP usage analysis tool
Oct 30 '06 #6
On Fri, 27 Oct 2006 15:06:03 GMT, re****@otherlip s.com wrote:
>In article <6a************ *****@reader1.n ews.jippii.net> ,
sp**@outolempi .net says...
>Sessions are per domain. For www.mydomain.com there is one session, and for
mydomain.com there is anothe

A session is supposed to be a session with a particular host.

Actually PHP uses host names for sessions if you look in PHPSESSID but it
puts the domain name in by mistake. Hence his problem.
Here's an example cookie header from PHP 4.4.4:

Set-Cookie: PHPSESSID=94c29 6afc75987991836 1534d1b89014; path=/

It doesn't set the domain; it relies on the default, correct, behaviour that
the cookie applies to the host from which it was issued.
>Now that all "domains" are being registered both with AND without the
particular service name (WWW FTP etc) - IE as host names - this is going
to be a big problem for PHP if it isn't sorted real soon.
No it isn't, and neither is this new.

What do you suggest as the solution? That all session cookies should have
their domain set to the TLD of the host issuing them? Then you end up with the
sessions leaking across domains, which is much worse.

If you want to modify the properties of the session cookie for your particular
circumstances, PHP has the session_set_coo kie_params function.

--
Andy Hassall :: an**@andyh.co.u k :: http://www.andyh.co.uk
http://www.andyhsoftware.co.uk/space :: disk and FTP usage analysis tool
Oct 30 '06 #7
re****@otherlip s.com wrote:
In article <W_************ *************** ***@comcast.com >,
js*******@attgl obal.net says...
>>example.com and www.example.com are, by definition, two different hosts.
The fact they resolve to the same physical server is immaterial. PHP
is 100% correct in its operation.

No

example.com and www.example.com are the same host by both fact and hence
definition. It is the domain being addressed not necessarily a physical
machine I agree. However...


Actually, not. It is a common misconception. I can easily set up one
host as example.com - and it be an email server, for instance.
www.example.com could be on another machine. And ftp.example.com could,
obviously, be a third machine.

Back in the 70's and early 80's before the internet became a commodity
(and was generally known as arpanet), it was quite common to have the
email server set up as example.com. And depending on the size of the
company, you could also have ftp.example.com , gopher.example. com and others.
The fact is that using www. as a prefix to a domain in order to
address a web server on that host may not be formal syntax but it is
formal by dint of common usage. Common usage for some time has been to
address the same host in either manner. Anyone reserving a domain today
will have both assigned and resolved as the same address making them
interchangable.
Common usage is not the same as the RFC's. RFC's determine what is a
host and what isn't. It is quite common to have www.example.com and
example.com point to the same host. But that does not change the fact
that they identify two different hosts - which just happens to be the
same machine.

Even Apache and IIS have to be set up to handle both www.example.com and
example.com. Setting up one does NOT set up the other.
It is PHP that calls this a host and then provides 2 different answers as
to what that host is called during the same connection. The fact that it
comes up with 2 different answers to the same question during the same
connection should be telling you something?
It is the RFC's which call this a host. PHP is following the RFC's in
its operation.

Of course, you can always put in a request to change the RFC's.
That is a bug. And as big as a bug can get.

This makes PHP very much incorrect.

This is how the internet works. PHP needs to address this.PHP cannot
generate reliable sessions for all users until such time as this is
fixed.
In the mean time how about telling him how to avoid the bug?
Yes, this is how the internet works. And PHP is working correctly.
--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attgl obal.net
=============== ===
Oct 30 '06 #8
In article <ks************ *************** *****@4ax.com>, an**@andyh.co.u k
says...
What do you suggest as the solution? That all session cookies should have
their domain set to the TLD of the host issuing them? Then you end up with the
sessions leaking across domains, which is much worse.
You seem confused as to what PHP uses to track sessions. And the
difference between a host and a domain. PHP is using hosts, at least it
calls it a host in PHPSESSID, perhaps it should just use domains?

I suggest you all stop trying to disguise the massive bug in PHP

The simple fact is - If you connect to a web site PHP will generate 2
different answers to the question "what is the name of the host I am now
connected to?"

It doesnt matter how its configured or what its called - PHP should not
generate 2 sessions under any circumstances. THAT is the bug - it does -
every time the situation (which is now commonplace) occurs.

This is the reason the originator of this thread has a problem.

That is a bug. A serious bug. It isn't as mentioned by someone elsewhere
a difficult concept.

The entire and sole purpose of A session is to enable tracking of a user
during that session. PHP generates 2 sessions thereby preventing this.
PHP is broke.

You can waffle on all you like but the bug is there - its hard, its
simple to reproduce, its in every release of PHP, it causes lost data on
web sites and faults the average implementer has difficulty tracking
down, it confuses log on procedures therby reducing site security, and
its all because PHP can't determine the host name its connected to
accurately and provides 2 values for the variable "HOST" in PHPSESSID
instead of one.

Stop waffling and arrange to sort it or a very public announcement will
need to be made to secure peoples web sites.
Nov 1 '06 #9
In article <Jf************ *************** ***@comcast.com >,
js*******@attgl obal.net says...
Actually, not. It is a common misconception. I can easily set up one
host as example.com - and it be an email server, for instance.
www.example.com could be on another machine. And ftp.example.com could,
obviously, be a third machine.
The point is this is not how its done.
Nov 1 '06 #10

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

2
10170
by: Dave Mateer | last post by:
Hi Why does the following code allow me to keep the same session when in the same sub domain (ie admin.localhost), yet not when I goto another related domain eg main.localhost? I would like to have the same session on the related domain. I bet the solution is really simple <grin>!... Kind Regards
6
1940
by: Andy | last post by:
Hi all, I'm trying to get the hang of Sessions using this little test program shown below. However, the first page starts up a couple of session variables (if they have not been started already), and invites the user to enter a name. The second page then takes this name, adds it to an array, and invotes the user to go back to the original...
4
2158
by: FLEB | last post by:
I've been trying to find a way to transfer session data (login information and such) between different domains, both on the same shared host. I think (I haven't tested yet, though) that using the same session ID will return the same session data, since they're both running off the same copy of PHP. The data being transmitted isn't extremely...
10
2123
by: Mark H | last post by:
Hey all-- I'm building a database and I basically need to keep out people who aren't authorized, but it's not like I need top security here. I'm just doing basic user/pass of a SQL database, and when a user authenticates I start a session for him. My question is, is there any way for a hacker to easily start a session without having...
14
1985
by: Guy Hocking | last post by:
Hi there, I am having trouble with an ASP login that uses sessions to control access to certain pages. However the sessions are not being carried accross upon using response.redirect. I realise that this is the case that DNS names and IP addresses vary upon whether it works or not, however how can i get around using sessions live on the...
9
468
by: strycat | last post by:
Hello, I've got two different sets of ASP scripts on my server. Each set is kept in their own directory. Both sets of scripts use sessions. I want to make sure that the sessions are not accidentially shared between the two sets as they are both different applications. Right now I'm having a problem when I do a Session.Abandon from one...
7
2377
by: pek | last post by:
OK, I've been having this problem for quite some time but never until now I really needed a solution. I have never thought of a work around, so I really need your help. Sorry if this has been mentioned already. You can point me to the post and I'll gladly read. I googled this a lot but, first, most people have tutorials for sharing sessions in...
8
1830
by: Dave | last post by:
Hopefully this is an easy question for those with more experience. I have two separate programs that I want to use together on a website Program A starts first and calls session_start(). Program B is started by the user clicking on a link and it also calls session_start(). The session started by program B blows away the session...
0
7464
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main...
0
7805
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that...
0
7751
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the...
0
5968
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then...
1
5323
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes...
0
4943
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert...
1
1874
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
1
1012
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
0
700
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.