Opened 5 years ago

Closed 5 years ago

#945 closed Bug (fixed)

$_SESSION sharing among multiple php apps served from same website

Reported by: vipsoft Owned by: vipsoft
Priority: normal Milestone: Piwik 0.4.4
Component: Core Keywords:
Cc: Sensitive: no

Description (last modified by vipsoft)

Session conflicts may arise.

Suggested remedies:

  • add Piwik_ prefix to session namespaces
  • set session name (default is PHPSESSID; ZF sets it to ZFSESSION); what if user has set it in .htaccess?
  • regenerate session ID at login/logout

Change History (4)

comment:1 Changed 5 years ago by vipsoft (robocoder)

  • Summary changed from Multiple php apps served from same website to $_SESSION sharing among multiple php apps served from same website

comment:2 Changed 5 years ago by vipsoft (robocoder)

  • Description modified (diff)
  • Priority changed from major to normal

comment:3 Changed 5 years ago by vipsoft (robocoder)

  • Milestone changed from 2 - Piwik 0.5 to 1 - Piwik 0.4.4

comment:4 Changed 5 years ago by vipsoft (robocoder)

  • Resolution set to fixed
  • Status changed from new to closed

In [1460], fixes #945 - Piwik sets the session.name to 'PIWIK_SESSID'; define('PIWIK_SESSION_NAME', ...) in bootstrap.php to override; session namespaces now prefixed by Piwik_. We regenerate session ID at login/logout to mitigate session fixation attacks.

Note: See TracTickets for help on using tickets.