sessions - two with same session ID as the same time

Re: sessions - two with same session ID as the same time

"windandwav es" <winandwaves@co ldmail.com> wrote in message
news:tiqzf.1595 4$vH5.843423@ne ws.xtra.co.nz.. .[color=blue]
> Hi Folk
>
> I just had a brainwave. I leave a session cookie on someone's machine so
> that I recognise them (with their session ID in the cookie) when they come
> back, I also offer them the option to have an email sent to their email
> address with a link that sets the session ID to the one in the emailed
> link so that they can open their account from another computer.
>
> Now, my question is, can you have two users on different computers be on
> the website at the same time with the same session ID?[/color]

There's nothing to stop you trying it out! Remember, you can use two
different browsers on one machine to simulate two computers for testing
purposes.

If there's a mechanism for logging in, then that's completely unnecessary...
do you have that?

I'm not sure I understand what you're actually trying to achieve ;)

Re: sessions - two with same session ID as the same time

d wrote:[color=blue]
> "windandwav es" <winandwaves@co ldmail.com> wrote in message
> news:tiqzf.1595 4$vH5.843423@ne ws.xtra.co.nz.. .[color=green]
>> Hi Folk[/color]
> I'm not sure I understand what you're actually trying to achieve ;)[/color]

I guess what I am wondering if it is a (potential) problem if two people are
using the same session ID and if so, what are these problems.

TIA

- Nicolaas

Re: sessions - two with same session ID as the same time

if you are using a login mechanism (mysql, flat-file, whatever) store
this session information where you have control over it - you cannot
rely on the user being on the same computer everytime they access your
site. (ie: home computer, work computer, etc...)

Michael Austin
Consultant

Re: sessions - two with same session ID as the same time

windandwaves wrote:
<snip>[color=blue]
> I guess what I am wondering if it is a (potential) problem if two people are
> using the same session ID and if so, what are these problems.[/color]

Google for session hijacking.

--
<?php echo 'Just another PHP saint'; ?>
Email: rrjanbiah-at-Y!com Blog: http://rajeshanbiah.blogspot.com/

Re: sessions - two with same session ID as the same time

"windandwav es" <winandwaves@co ldmail.com> wrote in message
news:toBzf.1603 9$vH5.854101@ne ws.xtra.co.nz.. .[color=blue]
>d wrote:[color=green]
>> "windandwav es" <winandwaves@co ldmail.com> wrote in message
>> news:tiqzf.1595 4$vH5.843423@ne ws.xtra.co.nz.. .[color=darkred]
>>> Hi Folk[/color]
>> I'm not sure I understand what you're actually trying to achieve ;)[/color]
>
> I guess what I am wondering if it is a (potential) problem if two people
> are using the same session ID and if so, what are these problems.[/color]

If you use a non-locking session handler (ie no the default file-based
sessions), you'll technically be ok. Whether it's a good idea or not is up
to you ;)
[color=blue]
> TIA
>
> - Nicolaas
>[/color]

Re: sessions - two with same session ID as the same time

>I guess what I am wondering if it is a (potential) problem if two people are[color=blue]
>using the same session ID and if so, what are these problems.[/color]

They have the same set of session variables, which they both change.

This can be a problem with, say, a shopping cart application.
You could end up with one frustrated user repeatedly adding
a football jersey and deleting knitting needles, and the other
user repeatedly adding knitting needles and deleting the football
jersey.

Depending on how you handle logouts, if one logs out, it kills the
session for the other one.

If you have a "password change" feature, either user probably ends
up changing the password for both.

If the site has a mailbox feature, they share the same mailbox, read
each other's mail, and send mail from the same identity.

Gordon L. Burditt