Client Clones and Server Sessions
By Tony Marston2005-05-06
Session Identities
|
|
It is important to note that within the HTTP protocol there is no mechanism that can be used successfully to tie a particular session to a particular browser window on a particular device. It is therefore the responsibility of the web application to employ its own mechanism. PHP solves this problem by allocating a new session identifier (session_id) to each new session, and passes back that value in the response. A subsequent request from the same client, provided that it supplies the same session id, will automatically be re-united with the session data that was previously stored using that id.
Note here that the identity of the client submitting the request is irrelevant - it is all controlled by the session identifier:
• Different client devices which quote the same session id will share the same session data. It is therefore possible for someone with questionable morals to 'highjack' somebody else's session by submitting a request which supplies their session id.
• Different browser instances on the same client device can only utilise separate sets of session data if each instance can supply a different session id.
Tutorial Pages:
» Introduction
» Session Identities
» Session Names and Session Cookies
» Dynamically changing the Session Name
» Starting a new session
|
