Sessions and FireFox Tabs

[zq29]

While debugging a script of mine I have stumbled across something that appears to be quite a concern. I am working on a project that has a front end, and an admin backend.

I use FireFox and have the front end open in one tab, and the backend open in another. Naturally, the admin is protected with a user:password combo, so I have logged myself in - the username is stored in the session variable $_SESSION['username']. Now back in my other tab, working with the front end, I'm debugging a script and find the need to check a few session variables so run a print_r($_SESSION).

What do I see? [username] => 'SemiApocalyptic' in my front end.

The frontend has a shopping basket, product details are stored in $_SESSION['basket'] - I add a few things to the basket, then switch back over to my admin tab and click my 'Logout' button, this destroys all my session data to log me out of the admin with either unset($_SESSION) or $_SESSION = array() (I can't remember now - one of the two).

Switch back over to my front-end, refresh my basket, and all my basket data is empty.

Now my project structure is like this:

Frontend: [a href=\"http://localhost/site/\" target=\"_blank\"]http://localhost/site/[/a]
Backend: [a href=\"http://localhost/site/admin/\" target=\"_blank\"]http://localhost/site/admin/[/a]

I'm quite concerned how my two tabs are sharing the same session data, is this because they are on the same server; same 'base directory'; or something else? Can anyone offer any insight as to what is happening, how to prevent it or any other useful input? Should I be concerned?

[samshel]

Try opening the frontend and admin in two different instances of firefox (not two seperate tabs)...this also is a problem sometime when you Shift+Click in IE, it carries on the session to the new window.

[poirot]

I guess they will share session data as long as they have the same session id - what may mean, if you are using cookies to propagate session_id, it will share the same session id if you open another instance of Firefox.

I think using session_set_cookie_params() you can create different cookies for them - so they'll have different session id's.

[a href=\"http://www.php.net/session_set_cookie_params\" target=\"_blank\"]http://www.php.net/session_set_cookie_params[/a]

[zq29]

I see, but do you think this 'feature' of FireFox could be used to exploit peoples sites? Or is session data only stored between tabs if both URLs point to the same sever/domain? (I would both think, and hope that this [i]is[/i] the case) Might have to do some testing to find out, to be sure.

[.josh]

!?!!

well i did some testing on this issue, and i can confirm that it does indeed pull the session info from one tab to another, if the pages are from the same website. But it does not appear to grab session info from tabs that do not contain other websites.

did the following code:
[code]
<?php
  session_start();
  
  foreach($_SESSION as $key => $val) {
    echo $key . " : " . $val . "<br>";
  }
?>
[/code]
i opened my ff browser and ran this script. nothing.

then i opened a tab and went to one of my login screens for my site, and logged in. then i went back to this script tab and refreshed, and behold, i see my session info dumped on the screen, from the other tab. these scripts were also ran from different directories, btw.

i opened a 3rd tab and tried logging in to several sites (including this one) and then refreshing the script again, and nothing (nothing new-session info will be there until the window is completely closed- that's another thing you need to remember when doing tabbed browsing!).

so it [i]appears[/i] that your session info is safe, as far as running a script from another site, with your site tabbed.

now as far as same-site tabs sharing the session.. well, you can name things more explicitely. as in, on your frontend, have 'cust_username' 'cust_password' etc.. as user info and 'admin_username' 'admin_password' as the admin info, instead of using the same variable name for both.

and if for some reason you need to run a loop on all of your session vars, if you seperate them with a specific prefix, you can throw in a condition that checks for that prefix.

hope this helps!

[wildteen88]

The key here is to use session_name before session_start within your admin area ie:
[code]<?php
session_name('adminArea'] // MUST BE FIRST LINE
session_start(); //all session data created will now be tied to the adminArea session

//create your sess vars as normal

?>[/code]
Now in your frontend just start your session as normal:
[code]<?php
session_start();

//create session vars

?>[/code]
You'll see now that your sessions wont mix, all admin session are tied to a seperate session.

NOTE: you must have session_name('adminArea') before session_start in every file that uses sessions in your admin area.

Also the name of the session can be anything but can only contain letters

Hope that helps.

[shoz]

Keep in mind that this isn't a firefox issue.

Browsers know nothing of sessions or session data (firefox's reference to sessions when dealing with when cookies expire eg: "end of session", is only about when the browser is closed). It only stores a cookie with the session id and sends it to the server as it would any other cookie. When it comes to the session id being passed via the url, again the browser treats it no differently than any other url with a query string.

[.josh]

yeah the actual info is stored on the server, so duh..no site to site session sharing. (i'm saying duh to myself too cuz for some reason that slipped my mind)

[zq29]

Ok, it all appears to make sense! I was under the assumption that new tabs in FireFox were treated as the equivilent of a new browser window in IE, where a new browser window creates its own new (seperate) session regardless of it being the same site or not.

I must admit, I was a bit quick off the mark to create this thread, but as you could imagine - It was a bit concerning to see session data from other tabs in my active tab! But thinking about it, and everyones comments here, it does make sense.

Thanks for the tip there wildteen88, I think I might implement that into my projects from now on, just to keep things tidy when debugging.

Thanks for your input guys :)