the core and several plugins are using the PHP session handling. This works fine as long as there is only one CMSimple_XH installation on a domain, but there could be problems with multiple installations, especially when they are placed in subfolders. That's caused by the session cookie usually being stored for the domain root, so multiple installations share the same session.
The core as well as some plugins are already working around this issue, e.g. by storing important information in an array with an element for each installation (keyed by CMSIMPLE_ROOT, for instance). That is cumbersome at best, and plugins not doing this might not work reliably on multiple installations.
A simple solution would be to designate a unique session name for each installation, instead of using the default name (PHPSESSID). There are, however, at least two issues with this approach:
- If the session has not already been started by the core, a plugin calling session_start() would automatically use the default name, and start an independent session. That's not necessarily a problem per se, but it would be better to avoid it (if only for performance reasons). Requiring plugins to set the appropriate session name seems error prone, so it might be best to introduce some API (say, XH_startSession()) which does that automatically.
- There are plugins which trigger requests to separate PHP files (i.e. not via CMSimple_XH's index.php), and if a session is started from these files the session name is not known. That was basically the showstopper for implementing named sessions for XH 1.6, but the situation has improved in the meantime (all bundled plugins have been modified accordingly).
Thoughs?