PHPBuilder.com, the best resource for PHP tutorials, templates, PHP manuals, content management systems, scripts, classes and more.

Linux Today
Enterprise Linux Today
Apache Today
JustLinux.com
Linux Planet
PHPBuilder
All Linux Devices
Hiermenus
DatabaseJournal
Technology Jobs

IT
Developer
Internet News
Small Business
Personal Technology
International

Search internet.com
Advertise
Corporate Info
Newsletters
Tech Jobs
E-mail Offers

Covalent Extends Apache 2.0 to Microsoft ASP.NET
ShopWorX - Support for Windows
PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1
Network Risk Assessment
Full-Featured, Java-Based Apache GUI

Partners & Affiliates

Using XML: A PHP Developer's Primer
Using PHP and XML with Apache Cocoon
In Case You Missed It...The Week of August 1, 2005
Email with an unstoppable "Return Receipt Requested"
Learning PHP Using the DIY Method

[phplib] URGENT: Crosslinked sessions between MS IE4.01 users From: Pascal Jolin (pjolin <email protected>)
Date: 01/24/01

Next message: Andy Worthington: "[phplib] session mysql error message"
Previous message: Daniel Bondurant: "[phplib] have_perm in auth_validatelogin()"
In reply to: Alexandr E. Bravo: "Re: [phplib] menu.inc troubles under PHP4.04pl1"
Next in thread: Vibol Hou: "RE: [phplib] URGENT: Crosslinked sessions between MS IE4.01 users"
Reply: Vibol Hou: "RE: [phplib] URGENT: Crosslinked sessions between MS IE4.01 users"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

We discovered this problem about a week ago and I'm at a loss to explain
what's happening. This also happens only to MS IE4 users.

When a user logs in froma fresh MSIE4 browser, and then logs off, and then
logs in again on the same browser (without closing it), the new connection
will
load what appears to be a random session from the active_sessions table
and end up logged as whichever user created that session in the first place.

This obviously is a serious security problem; we've had external users of
our
application end up logged as a system administrator and gain access to
private
company data.

The session / user / perm classes are really off the shelf classes that do
nothing
special other than load some custom info about the user from an extra table.

Is this something that has been reported or heard of before? And perhaps
more important, does anyone have a suggestion to fix that problem? This
only happens with MSIE4. No other version of explorer does that, and the
problem doesn't happen on any version of Netscape, Opera, or any other
browser we have tested.

Regards,

Pascal Jolin

---------------------------------------------------------------------
To unsubscribe, e-mail: phplib-unsubscribe <email protected>
For additional commands, e-mail: phplib-help <email protected>

Next message: Andy Worthington: "[phplib] session mysql error message"
Previous message: Daniel Bondurant: "[phplib] have_perm in auth_validatelogin()"
In reply to: Alexandr E. Bravo: "Re: [phplib] menu.inc troubles under PHP4.04pl1"
Next in thread: Vibol Hou: "RE: [phplib] URGENT: Crosslinked sessions between MS IE4.01 users"
Reply: Vibol Hou: "RE: [phplib] URGENT: Crosslinked sessions between MS IE4.01 users"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]