Since every user has a unique PHPSESSID, is it possible for two users, say a to inject info into b's SESSION data using standard PHP running on the server.
Note, I am not using this for any wrong purposes. Trying to use it for chatting without DB access.
Thank you for your time.
I'm assuming you want to somehow have A chat to B by sending a message which gets placed into B's session.
First of all, A needs to learn B's session ID, perhaps by selecting their name from a list. You'll almost certainly want to encrypt these session ids, otherwise you have created a nice security hole!
So, A posts data to the server containing the target session id, and a message. Here's how we could temporary switch session ids to write that data into the target session:
//get data from form - I'll leave the encryption of the target //session id up to you! $target_session_id=decryptSessionId($_POST['target']); $message=strip_tags($_POST['message']); //remember our "real" session id and close the session $original_session_id=session_id(); session_write_close(); //open the target session session_id($target_session_id); session_start(); //add message to target session $_SESSION['chat']=$message; //close target session session_write_close(); //reopen the "real" session session_id($original_session_id); session_start();
The content is written by members of the stackoverflow.com community.
It is licensed under cc-wiki