1

So I have a couple of sub-domains sharing the same session right?

On sub-domain 1 (userpanel, editing info and stuff):

$_SESSION['user_id'] = 4;

On sub-domain 2 (see user profile): 

$user_id = 8;

Back on sub-domain 1:

echo $_SESSION['user_id']; // output: 8!

How is $_SESSION['user_id'] set with the id 8?

Hope to learn something new ^_^

Gilly
  • 9,212
  • 5
  • 33
  • 36
  • Maybe you could take a look at this? http://php.net/manual/en/function.setcookie.php – Marcel Colomb Jan 15 '13 at 15:10
  • @BogdanBurim While true generally, it doesn't have to be. – Jonnix Jan 15 '13 at 15:13
  • 1
    Sounds like [register_globals](http://stackoverflow.com/questions/3593210/what-are-register-globals-in-php) is enabled in some (or all) of your sites :-? – Álvaro González Jan 15 '13 at 15:17
  • @ÁlvaroG.Vicario. Thanks! This was the cause. I always knew register_globals is a security issue, but never experienced it myself. But now I know :) If you answer I will accept – Gilly Jan 15 '13 at 15:34

3 Answers3

1

It's not entirely clear from your code (did you mean $_SESSION['user_id'] = 8; in the second code snippet?), but if you have two subdomains that share cookies and have the same session ID (and use cookies for sessions), then you can modify sessions between the two.

This is possible by either setting the session cookie domain before doing any session related things (or outputting anything), or by setting a configuration option in php.ini for the cookie domain.

If you're passing the session ID around in other ways, such as the URL, and share it between subdomains this can happen too.

Telgin
  • 1,614
  • 10
  • 10
  • I had indeed set session cookie domain to be able to share the sessions. The code you read is correct. I had set a $user_id. However on the sub-domain 2 there is no interference with the session['user_id']. – Gilly Jan 15 '13 at 15:31
1

You just do something like:

$_SESSION['sub_domain1]['user_id'] = 8;
$_SESSION['sub_domain2]['user_id'] = 4;

This is a solution for handle session with namespage of Zend Framework. You can create class: My_Session with __contruct($namespace) then write to method: get and set to get your value from key.

Update:
http://framework.zend.com/manual/1.12/en/zend.session.basic_usage.html

vietean
  • 2,975
  • 9
  • 40
  • 65
  • Cool, this is indeed a good way to prevent some sessions to interfere with others, but is not the cause of my problem. (register_globals was) – Gilly Jan 15 '13 at 15:36
1

The symptoms you describe make me suspect that register_globals is enabled in some (or all) of your sites. When items in $_SESSION array become global variables you get this kind of problems.

Community
  • 1
  • 1
Álvaro González
  • 142,137
  • 41
  • 261
  • 360