i'm working with sessions in PHP, and i have different applications on single domain. Problem is, that cookies are domain specific, and so session ids are sent to any page on single domain. (i don't know if there is a way to make cookies work in different way). So Session variables are visible in every page on this domain. I'm trying to implement custom session manager to overcome this behavior, but i'm not sure if i'm thinking about it right.
I want to completely avoid PHP session system, and make a global object, which would store session data and on the end of script save it to database.
- On first access i would generate unique session_id and create a cookie
- On the end of script save session data with session_id, timestamps for start of session and last access, and data from $_SERVER, such as REMOTE_ADDR, REMOTE_PORT, HTTP_USER_AGENT.
- On every access chceck database for session_id sent in cookie from client, check IP, Port and user agent (for security) and read data into session variable (if not expired).
- If session_id expired, delete from database.
That session variable would be implemented as singleton (i know i would get tight coupling with this class, but i don't know about better solution).
I'm trying to get following benefits:
- Session variables invisible in another scripts on the same server and same domain
- Custom management of session expiration
- Way to see open sessions (something like list of online users)
i'm not sure if i'm overlooking any disadvantages of this solution. Is there any better way?
Thank you!!
UPDATE: i did not explain it in enough detail and caused a lot of confusion here, so i want to make clearer what i'm dealing with:
I'm building SOA server application, which would be deployed in many different enviroments. It won't have it's own webserver, so in those enviroments there could be another PHP applications. Employees of these companies will have user accounts in this application, so they will obtain a cookie with session Id into this application.
As we know, webserver running PHP when loading session data doesn't make difference (at least by default) what script from which directory created session. All it needs is a session ID. This session ID is sent with each request from client to server. From your answers i got a way, how could PHP restrict cookies for certain directory, but malicious user is able to edit cookie, because it's stored in his computer. Malicious user in my case can have access to write and execute php script in the same environment, although not having access to my application and it's database. If he create a script, he could use Session id from cookie of my application, thus he has access to read and edit session data on my application and gain access to parts of my application, that he shouldn't be allowed to.
I see there will be another security threats in deploying application in such environment, what i'm going for is the best isolation i could do, and default session handling seems too dangerous and not designed for uses like this.
So my question is, if you see something, which is less secure, less flexible in my design, than it would be with default session management..
Thank you for your answers,..
