PHPBuilder.com, the best resource for PHP tutorials, templates, PHP manuals, content management systems, scripts, classes and more.

Linux Today
Enterprise Linux Today
Apache Today
JustLinux.com
Linux Planet
PHPBuilder
All Linux Devices
Hiermenus
DatabaseJournal
Technology Jobs

IT
Developer
Internet News
Small Business
Personal Technology
International

Search internet.com
Advertise
Corporate Info
Newsletters
Tech Jobs
E-mail Offers

Covalent Extends Apache 2.0 to Microsoft ASP.NET
ShopWorX - Support for Windows
PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1
Network Risk Assessment
Full-Featured, Java-Based Apache GUI

Partners & Affiliates

Getting started with Flex and Zend_Amf
Configuring PHP with ORACLE 8i Support
Gregarius - an RSS/Atom Feed Reader
Use PHP To Create Custom Web-Based Honeypots with GHH
Session Management and Authentication with PHPLIB

RE: [phplib] URGENT: Crosslinked sessions between MS IE4.01 users From: Vibol Hou (vhou <email protected>)
Date: 01/26/01

Next message: znc <email protected>: "[phplib] Catalog"
Previous message: Padraic Renaghan: "Re: [phplib] Problems with PHP 4.0.4, template.inc, and the modified preg_replace()"
In reply to: Pascal Jolin: "[phplib] URGENT: Crosslinked sessions between MS IE4.01 users"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Sounds like you've scrutinized the classes pretty well. Have you tried
turning off caching in the session class?

-- Vibol Hou KhmerConnection, http://khmer.cc "Connecting Cambodian Minds, Art, and Culture"

-----Original Message----- From: Pascal Jolin [mailto:pjolin <email protected>] Sent: Wednesday, January 24, 2001 12:03 PM To: phplib <email protected> Subject: [phplib] URGENT: Crosslinked sessions between MS IE4.01 users

We discovered this problem about a week ago and I'm at a loss to explain what's happening. This also happens only to MS IE4 users.

When a user logs in froma fresh MSIE4 browser, and then logs off, and then logs in again on the same browser (without closing it), the new connection will load what appears to be a random session from the active_sessions table and end up logged as whichever user created that session in the first place.

This obviously is a serious security problem; we've had external users of our application end up logged as a system administrator and gain access to private company data.

The session / user / perm classes are really off the shelf classes that do nothing special other than load some custom info about the user from an extra table.

Is this something that has been reported or heard of before? And perhaps more important, does anyone have a suggestion to fix that problem? This only happens with MSIE4. No other version of explorer does that, and the problem doesn't happen on any version of Netscape, Opera, or any other browser we have tested.

Regards,

Pascal Jolin

--------------------------------------------------------------------- To unsubscribe, e-mail: phplib-unsubscribe <email protected> For additional commands, e-mail: phplib-help <email protected>

Next message: znc <email protected>: "[phplib] Catalog"
Previous message: Padraic Renaghan: "Re: [phplib] Problems with PHP 4.0.4, template.inc, and the modified preg_replace()"
In reply to: Pascal Jolin: "[phplib] URGENT: Crosslinked sessions between MS IE4.01 users"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]