XH 2.0: Use named Sessions

[cmb]

Hello Community,

currently the core of CMSimple_XH and several plugins are using PHP sessions. As the session cookies are set by PHP for the domain root, these sessions are shared between all CMSimple_XH installations on the domain. This might lead to collisions.

A clean solution would be to use named session, which were prepared by the CMSimple_XH's core. Unfortunately these session names would not easily be available to directly requested scripts of plugins (for instance the filebrowsers' editorbrowser.php). So we have decided to postpone the introduction of named session until a solution is found regarding this problem. To not forget the issue, I have placed it on the roadmap for CMSimple_XH 2.0.

For now, extension developers should stick with the normal PHP sessions and avoid the following session related functions: session_name() and session_destroy() (besides the functionality that is deprecated in newer PHP versions or generally frowned upon, as documented in the session book). They have to take care, however, that such potential collisions do not introduce bugs or even vulnerabilities to their extensions, or at least document, that the plugin can be used only once on any given domain.

Christoph

[cmb]

Oops, chaos! In the meantime I had suggested to introduce named sessions for XH 1.7, and that has already been accepted and implemented, so this thread is obsolete.