Span session over multiple machines

Brought to you by: nhruby, richardarcher

Span session over multiple machines

Forum: Open Discussion

Creator: Tim Morton

Created: 2002-11-19

Updated: 2002-11-19

Tim Morton - 2002-11-19

I wrote a few lines to extend session.inc which allows me to carry a session from www.somedomain.com to my.somedomain.com. I was wondering if I might have introduced any security concerns by doing so.

FYI here is the code that I put in local.inc:

class Example_Session extends Session {
var $classname = "Example_Session";

var $cookiename     = "";                ## defaults to classname
var $magic          = "Hocuspocus";      ## ID seed
var $mode           = "cookie";          ## We propagate session IDs with cookies
var $fallback_mode = "get";
var $lifetime       = 0;                 ## 0 = do session cookies, else minutes
var $that_class     = "Example_CT_Sql"; ## name of data storage container
var $gc_probability = 5;
}

class Global_Session extends Example_Session {

function get_id($id = "") {
    global $HTTP_COOKIE_VARS, $HTTP_GET_VARS, $HTTP_POST_VARS, $QUERY_STRING;
    $newid=true;

    // either new 'reassign' mode or 'cookie' mode (use session id in URL to change domains)
    $this->mode = isset($HTTP_GET_VARS[$this->name]) ? "reassign" : "cookie";

    $this->name = $this->cookiename==""?$this->classname:$this->cookiename;

    if ( "" == $id ) {
      $newid=false;
      switch ($this->mode) {
        case "reassign":      // fall through to "get" (obtain id via "get" method)
        case "get":
          if ("" == ($id = isset($HTTP_GET_VARS[$this->name]) ? $HTTP_GET_VARS[$this->name] : ""))
            $id = isset($HTTP_POST_VARS[$this->name]) ? $HTTP_POST_VARS[$this->name] : "";
        break;
        case "cookie":
          $id = isset($HTTP_COOKIE_VARS[$this->name]) ? $HTTP_COOKIE_VARS[$this->name] : "";
        break;
        default:
          die("This has not been coded yet.");
        break;
      }
    }

    if ( "" == $id ) {
      $newid=true;
      $id = $this->that->ac_newid(md5(uniqid($this->magic)), $this->name);
    }

    switch ($this->mode) {
      case "reassign":      $newid=true;
                      $this->mode = "cookie"; // leave things the way I found it...
                      // fall through to "cookie" (reassign always assumes cookie mode)
      case "cookie":
        if ( $newid && ( 0 == $this->lifetime ) ) {
          SetCookie($this->name, $id, 0, "/", $this->cookie_domain);
        }
        if ( 0 < $this->lifetime ) {
          SetCookie($this->name, $id, time()+$this->lifetime*60, "/", $this->cookie_domain);
        }
      break;
      case "get":
        if ( isset($QUERY_STRING) ) {
          $QUERY_STRING = ereg_replace(
            "(^|&)".quotemeta(urlencode($this->name))."=".$id."(&|$)",
            "\\1", $QUERY_STRING);
        }
      break;
      default:
        ;
      break;
    }

    $this->id = $id;
}
}

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Log in to post a comment.