I have seen that I can change the browser and continue to keep the information stored in the session if I assign it with session_id(sid)
.
I have prepared the following script and it works correctly to keep the session of the sid that I want.
<?php
echo(session_id());
if ((isset($_GET['sid'])) && ($_GET['sid'] != session_id())) {
session_destroy();
session_id($_GET['sid']);
session_start();
}
echo('<br/>' . session_id());
?>
<pre><?= print_r($_SESSION); ?></pre>
<pre><?= print_r($_COOKIE); ?></pre>
Possible problems and solutions:
- Problem 01: Any string used in $_GET['sid']
ends up generating a session and therefore a file in C:/PHPSSID/sess_xxxxx. Someone could generate a loop and fill the server with content.
Solution: Is it possible to check if a sid exists? If the session exists then it is used otherwise nothing is done. But I have not found any function similar to session_id_exists. I think the only possibility would be to manually check if the file exists manually. Is there another solution?
- Problem 02: In addition to the previous problem. Are there any more security breaches? Is it easy for someone to generate the existing sid from another user? I think it generates 26 digits.
Documentation http://php.net/manual/en/function.session-id.php