session id changes in Textpattern based on URL

This was driving me crazy, but I've finally figured out what is
happening, but I'm not sure why. I had to implement some extra
security for a web site that has added a blog (Textpattern). Sorry I
can't give the address out because the site is a prototype and I've
signed a non-disclosure agreement. I would type in the URL
example.com, I would enter my user name and password, and browse the
site. When I clicked on the blog link it took me to the main blog
page, but clicking any of the other links to blog articles wouldn't
work. After using the LiveHTTPHeaders plugin for Firefox, I saw that
the PHPSESSID was changing every time I accessed the blog. However it
worked on other computers no problem. Come to find out if I entered
the URL with www.example.com (notice the www) everything worked
perfectly and the sessions never reset. I think Textpattern is calling
a page called css.php using the entire URL www.example.com which is
causing the session reset if I started browsing the site using the URL
example.com.

Is this typical for sessions? To check the session, I'm doing the
following:

session_start();

if (!isset($_SESSION['valid_user'])) {
die('Restricted access');
}

The books say this is the way to do it, but is it the best/right way
to do it?

Thanks!

wh*******@gmail.com wrote:

This was driving me crazy, but I've finally figured out what is
happening, but I'm not sure why. I had to implement some extra
security for a web site that has added a blog (Textpattern). Sorry I
can't give the address out because the site is a prototype and I've
signed a non-disclosure agreement. I would type in the URL
example.com, I would enter my user name and password, and browse the
site. When I clicked on the blog link it took me to the main blog
page, but clicking any of the other links to blog articles wouldn't
work. After using the LiveHTTPHeaders plugin for Firefox, I saw that
the PHPSESSID was changing every time I accessed the blog. However it
worked on other computers no problem. Come to find out if I entered
the URL with www.example.com (notice the www) everything worked
perfectly and the sessions never reset. I think Textpattern is calling
a page called css.php using the entire URL www.example.com which is
causing the session reset if I started browsing the site using the URL
example.com.

Is

In article <3f******************************@comcast.com>,
js*******@attglobal.net says...

>wh*******@gmail.com wrote:

>>This was driving me crazy, but I've finally figured out what is
happening, but I'm not sure why. I had to implement some extra
security for a web site that has added a blog (Textpattern). Sorry I
can't give the address out because the site is a prototype and I've
signed a non-disclosure agreement. I would type in the URL
example.com, I would enter my user name and password, and browse the
site. When I clicked on the blog link it took me to the main blog
page, but clicking any of the other links to blog articles wouldn't
work. After using the LiveHTTPHeaders plugin for Firefox, I saw that
the PHPSESSID was changing every time I accessed the blog. However it
worked on other computers no problem. Come to find out if I entered
the URL with www.example.com (notice the www) everything worked
perfectly and the sessions never reset. I think Textpattern is calling
a page called css.php using the entire URL www.example.com which is
causing the session reset if I started browsing the site using the URL
example.com.

Is

This is somewhat disturbing.

Given that this happens - how do you prevent it causing a problem - IE
how can you force this discrepancy to correct itself so the user session
always remains safe?

Butwww.example.comis different than example.com, and the browser won't
send a cookie from one to the other.

But when you say "calls a pages called css.php" - what do you mean? Is
this a redirect? An include? A link?

As for testing - yes, this is one way. I don't use die(), but the
concept is the same.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstuck...@attglobal.net
==================

In article <3fednelwTe4PENTbnZ2dnUVZ_rCsn...@comcast.com>,
jstuck...@attglobal.net says...
This is somewhat disturbing.

Given that this happens - how do you prevent it causing a problem - IE
how can you force this discrepancy to correct itself so the user session
always remains safe?

In article <3fednelwTe4PENTbnZ2dnUVZ_rCsn...@comcast.com>,
jstuck...@attglobal.net says...

This is somewhat disturbing.

Given that this happens - how do you prevent it causing a problem - IE
how can you force this discrepancy to correct itself so the user session
always remains safe?

Does this problem affect everyone using Paypal & other services ?

I've now managed to replicate this on my test site and believe it may
well affect me but I have yet to find a solution. Nothing suggested so
far can solve this.

I use an ISP and have user access and execution rights but can't modify
either PHP.INI or apache startup files. (shared access means I'm not
allowed to re-start - obviously)

I have a site that communicates with paypal that sells data files
but I can't guarantee people will type in the WWW when they enter the
site (at whatever page) so they could start their session either with or
without it.

So I have a dilema - the required return address from paypal can either
include or exclude the WWW portion. It can't do both.

This means if there is a missmatch the sales transaction will fail.
Even worse - there is no way to identify that this was the cause
creating random transaction failures potentially (statistically over
time) of 50%

This is going to cost me money and I suspect everyone else using
any service such as this will suffer too.

This obviously isn't a minor problem.

If anyone can help - an idiots guide would be welcome ;-)