If two PCs from the same router connects to my web server, will unique
session IDs be generated for each connection?
In fact, is there an article talking about how PHP generates session
cookies?
--
iTech Consulting Services Limited
Expert of ePOS solutions
Website: http://www.itech.com.hk (IE only)
Tel: (852)2325 3883 Fax: (852)2325 8288 10  1693 
Man-wai Chang wrote:
>
If two PCs from the same router connects to my web server, will unique
session IDs be generated for each connection?
In fact, is there an article talking about how PHP generates session
cookies?
No article I know of. But you will get two different session id's.
You'll also get two session id's if the user uses two different browsers
(i.e. IE and Firefox) from the same computer.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attglobal.net
==================
No article I know of. But you will get two different session id's.
You'll also get two session id's if the user uses two different browsers
(i.e. IE and Firefox) from the same computer.
Thanks. Guess I have to read the source codes of PHP to find it out then
.... :)
--
iTech Consulting Services Limited
Expert of ePOS solutions
Website: http://www.itech.com.hk (IE only)
Tel: (852)2325 3883 Fax: (852)2325 8288
Man-wai Chang wrote:
>No article I know of. But you will get two different session id's.
You'll also get two session id's if the user uses two different
browsers (i.e. IE and Firefox) from the same computer.
Thanks. Guess I have to read the source codes of PHP to find it out then
... :)
It has nothing to do with the source code for PHP. It's how browsers work.
The browser keeps track of the session id, generally in a cookie (if
cookies aren't supported PHP uses the GET parameters). Two different
computers cannot share the same cookie - and therefore the same session id.
It has nothing to do with ip addresses at all (which are not unique and
may change at any time).
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attglobal.net
==================
On Apr 26, 4:52 am, Man-wai Chang <toylet.toy...@gmail.comwrote:
No article I know of. But you will get two different session id's.
You'll also get two session id's if the user uses two different browsers
(i.e. IE and Firefox) from the same computer.
Thanks. Guess I have to read the source codes of PHP to find it out then
... :)
--
iTech Consulting Services Limited
Expert of ePOS solutions
Website:http://www.itech.com.hk(IE only)
Tel: (852)2325 3883 Fax: (852)2325 8288
they are only statistically unique of course, but we are talking about
1 in 36^32 for php.
there have been various discussions about comparisons between .net php
j2ee session ids.
see here for instance on how to test their relative strengths: http://www.owasp.org/index.php/How_t...with_WebScarab
and here for more on the security aspects of session identifiers, (as
of course the non collision is but one [solved] aspect) http://www.owasp.org/index.php/Session_Management
Jerry Stuckle wrote:
Man-wai Chang wrote:
>>No article I know of. But you will get two different session id's.
You'll also get two session id's if the user uses two different
browsers (i.e. IE and Firefox) from the same computer.
Thanks. Guess I have to read the source codes of PHP to find it out
then ... :)
It has nothing to do with the source code for PHP. It's how browsers work.
The browser keeps track of the session id, generally in a cookie (if
cookies aren't supported PHP uses the GET parameters). Two different
computers cannot share the same cookie - and therefore the same session id.
It has nothing to do with ip addresses at all (which are not unique and
may change at any time).
To elaborate:
When you 'start' a session, and the browser hasn't given the server a
session-id, a new session will be created, of which the server knows
it's not currently in use. Different browsers on a computer cannot check
each others session-id's (well, they could, but that's not implemented
and probably never will be simply because it's not usefull). So they get
different ones. This also means a browser which doensn't accept and/or
get a session-id will make the server start a new session on every request.
Simplest way to view it: a _program_ (normally browser) is communicating
with the server, not your computer, or your router, or your modem.
Allthough some ill-advised people often want to make it appear
(/implement) as such.
--
Rik Wasmus
Estimated date being able to walk again: 01-05-2007.
Less then a week, hurray!
On Apr 26, 4:23 am, Man-wai Chang <toylet.toy...@gmail.comwrote:
If two PCs from the same router connects to my web server, will unique
session IDs be generated for each connection?
In fact, is there an article talking about how PHP generates session
cookies?
--
iTech Consulting Services Limited
Expert of ePOS solutions
Website:http://www.itech.com.hk(IE only)
Tel: (852)2325 3883 Fax: (852)2325 8288
answering a similar point - that of /can/ you use the same session
identifier on two browsers, the answer is yes for the most part. so if
your router is admin'd by someone you dont trust, it is more than
possible for the session id to be reused (replayed) so that your
session is active on two different machines. This is partly the reason
why the sessions space is so large, the sparseness of the space makes
session id prediction unlikely, the randomness adds to this
unlikeliness. But none of this prevents your session ID from being
reused, so if you have a hub somewhere on your network, you are
allowing other users to sniff your session ids, which are often used
as "authenticators" so allowing session hijacking.
all these concerns come into play and so you shouldn't really feel too
secure if you dont admin the router, or if your router is not patched
with the latest firmware, and is the reason why routers while often
ignored, are a vital consideration when considering security. toodle
pip. m
The INI setting session.use_cookies can be used to disable the use of
cookies for storing the session id remotely, and then I guess PHP will
just rely on the IP address and (probably) User-Agent header. In this
case, it may use the same session id for two computers under the same
router.
On Apr 26, 11:54 pm, Mike P2 <sumguyovrt...@gmail.comwrote:
The INI setting session.use_cookies can be used to disable the use of
cookies for storing the session id remotely, and then I guess PHP will
just rely on the IP address and (probably) User-Agent header. In this
case, it may use the same session id for two computers under the same
router.
in this case the application is responsible for maintaining state,
which means that if the appliaction does not send the sess id in the
url/hidden input/cookie and receive it and maintain it server side in
a file/database then a session wont be started/maintained.
The INI setting session.use_cookies can be used to disable the use of
cookies for storing the session id remotely, and then I guess PHP will
just rely on the IP address and (probably) User-Agent header. In this
case, it may use the same session id for two computers under the same
router.
It won't. Instead, PHP will rewrite your HTML output to inject the
session parameter in your forms, URLs, etc. So when you switch off
cookie-based session ID communication, PHP will try to use GET or POST.
Best regards,
--
Willem Bogaerts
Application smith
Kratz B.V. http://www.kratz.nl/
On Apr 27, 8:09 am, Willem Bogaerts
<w.bogae...@kratz.maardanzonderditstuk.nlwrote:
The INI setting session.use_cookies can be used to disable the use of
cookies for storing the session id remotely, and then I guess PHP will
just rely on the IP address and (probably) User-Agent header. In this
case, it may use the same session id for two computers under the same
router.
It won't. Instead, PHP will rewrite your HTML output to inject the
session parameter in your forms, URLs, etc. So when you switch off
cookie-based session ID communication, PHP will try to use GET or POST.
this only happens if
session.use_trans_sid = 1
which it should not be (for security reasons)
allowing the rewriter to be active is a real issue, so for earlier
versions of php, yes this will come into play and various parts of the
html might be altered, but for later php versions, this doesnt happen,
which is much safer!
>
Best regards,
--
Willem Bogaerts
Application smith
Kratz B.V.http://www.kratz.nl/ This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Puvendran Selvaratnam |
last post by:
Hi,
First of all my apologies if you have seen this mail already but I am
re-sending as there were some initial problems.
This query is related to defining indexes to be unique or not and...
|
by: Karsten Hilbert |
last post by:
There recently was a discussion on how to enforce
uniqueness on a row for a given condition, say allow many
address rows for a person where active = false but only one
where active = true. I...
|
by: Andreas |
last post by:
Hello list,
what about uniqueness of inherited primary keys ?
eg you have :
create table objects (
id int4,
date_created timestamp(0),
primary key (id)
|
by: Dirk Declercq |
last post by:
Hi,
Is it possible in Xml to enfore the uniqueness of an element based on his
attribute value.
Say I have this schema :
<?xml version="1.0" encoding="UTF-8"?>
<xs:schema...
|
by: kate |
last post by:
Hi,
I want to add uniqueness constraint for an attribute, but only for a
certain value, for example, the attribute can be 'true' or 'false' or
none, I want to allow only one 'true' value. How...
|
by: Mr. Almenares |
last post by:
Hello:
I’m trying to do a schema with recurrent structure for a Book like a Node
can have many Nodes inside or One leave. So, the leaves have an attribute
that is Identifier. My goal is define...
|
by: wendy |
last post by:
Just curious to know if there is a simple way to ensure uniqueness
among non-null values within a nullable column.
For instance if I have a column of Names that can contain null values,
I would...
|
by: MDS |
last post by:
All,
I am endeavouring to implement an "Also in the area" feature to an
Access 97 DB.
Within the table, there are two columns drawn from the same domain -
let's call them Place A and Place B....
|
by: Alan Little |
last post by:
I have affiliates submitting batches of anywhere from 10 to several
hundred orders. Each order in the batch must include an order ID,
originated by the affiliate, which must be unique across all...
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
| |
