Ive got a programmer who coded a php application for me, however we have the following issues.

When you first try to open the application it asks for username and login. It then creates a php session for the rest of the webadmin pages.

problem is, the session seams to be i.p. based, and when i close the browser or login from a seperate computer on the same network (i.e. same i.p. address) it allows me in without asking for username and password.

Is this normal? that php sessions work off the ip address? and not the specific computer/browser session?

Let me know your thoughts, this seems VERY insecure to me.

It would only do that until the session expires, which should be configureable in php.ini. session.cookie_lifetime is one place to start looking

Hope this helps,
-- HW

So this is normal?

Is there any way to configure php so that it doesnt allow this, and makes sessions based on the computer? not the ip?

I mean, if they logon on a public wifi. Anyone else on the same wifi spot would be able to get on the site without loging in.

NO, is not normal, a session is propagated by a SESSIONID cookie, sent in browser with each request. So on a single computer, if you login in Firefox and open same site in IE, is not normal to be logged in in IE also.
So the problem seem to be in your script, check authentication function and workflow.

You should read the "Sessions and Security" section here:

http://ca3.php.net/manual/en/ref.session.php

You can use the session.use_only_cookies php ini setting to force cookies to be used to determine sessions. This way the session id is stored in the cookie. Any user without the session id in their cookie is not logged in and does not have a session.

If we switch over this php setting, will it simply create the cookie when the program attempts to setup a php session, or will the php script need to be modified to create its own cookies and whatnot?

Originally posted by recko11
If we switch over this php setting, will it simply create the cookie when the program attempts to setup a php session, or will the php script need to be modified to create its own cookies and whatnot?

If the script uses the sessions functionaly provided by PHP, ie $_SESSION variables, then switching the php setting should automatically place a cookie in the browser without any additional code changes.

Do PHP sessions even do IP based session tracking? I thought it only did cookie based or URL based.

Anyhow tracking the sessions via the IP address is really bad.

Originally posted by Froggy
Do PHP sessions even do IP based session tracking?
No..

I thought it only did cookie based or URL based.

True.

Anyhow tracking the sessions via the IP address is really bad.
I agree.

Originally posted by Froggy
Anyhow tracking the sessions via the IP address is really bad.

Not if it is combined with tracking by cookie... generally prevents (except for local network) session hijacking. :)

Not if it is combined with tracking by cookie... generally prevents (except for local network) session hijacking.


But that isn't really "combined" tracking, you are using the cookie to track the user and adding the IP to the session and using it to make sure nothing fishie is going on.

Regardless this is a bad idea too, as there are many ISPs that change the users IP from request to request (They are proxies...like AOL). So you'll be blocking a bunch of people.

I think a better approach would be to do a combination of things:

1. Shorten the lifespan of the sesison cookie
2. Implement some sort of 'auto-signout' -- after some period of inactivity, the user is logged out automatically

IP tracking is generally a bad idea, for the reasons already mentioned.

It depends. Has he put a custom session handler in which is set in a database or file system. If he has then he might be session tracking in the handler with IP address... in which case when a session is used by yourself it sees a valid session id based on your IP address (perhaps he's generating an MD5 or such based on your IP).

If you use the default session handler in PHP this sort of thing should not occur.

Auto sign out is automatic with PHP sessions with the trash collection.