[Web-SIG] Session interface, v2

Ian Bicking ianb at colorstudy.com
Sun Aug 21 01:56:31 CEST 2005

Rene Dudfield wrote:
>>>* Scenario 4: Two apps in different virtual hosts.
>>Probably not an issue because the session id won't be shared.  A good
>>session id manager might be able to handle this, though, but forwarding
>>the user between the two hosts with a special GET variable that triggers
>>the setting of a cookie; if that was happening it would be like scenario 3.
> The most secure way for virtual hosts would be to use different
> session stores?  Using different session stores for separate domains
> should be the default for a little extra security?  However using the
> same SessionStores accross virtual domains could be quite useful for
> passing users settings amongst virtual domains(just like Ian said
> above).

As long as session ids are generated properly, there should be no 
overlap in ids unless you are using the same browser identification 
(i.e., the same cookie).  So if the virtual hosts aren't explicitly 
sharing session ids there's no real problem (as long as all those 
applications are trusted to read any session, of course).

Ian Bicking  /  ianb at colorstudy.com  / http://blog.ianbicking.org

More information about the Web-SIG mailing list