I have a question regarding PHP session security...
My set-up is based on a number of separate instances of (the same) PHP/MySQL script being run in different subfolders of the same website.
For example, I might have 2 separate instances of the script located in the following 2 subfolders:
Essentially these are 2 entirely separate sites (with individual databases) that are running the same script.
My problem is that if a user originally logs in at "folder1" and then browses to "folder2", their session will carry and they will have full access to the script in the new folder.
I have tried setting the "session.cookie_path" value within each subfolder (using a .htaccess file), so that the sessions would only be valid within the particular subfolder that they were first created. However I found that this was insecure.
As a test, I logged into the script at "folder1". I then edited the cookie that had been set on my machine - I simply changed the cookie path back to root "/". I then browsed to the script at "folder2" and all of my session data from "folder1" was readily available.
I would have thought that when PHP created the session in "folder1" it would have limited its scope to only that folder, but this does not appear to be the case. So, if a malicious user were to alter the path on their session cookie they would be able to carry their session data to any other folder on the domain. Has anyone else struggled with this problem?