Jump to content

session variables crossover problem

geroido

By geroido
in PHP Coding Help

 Share

Recommended Posts

geroido Member

geroido

Posted
Posted

I've just realised I have a major problem with my website project. My website allows two types of user to log on - a general user and a client. Everything works perfectly well if I log in as one or the other type. However, if I open two browser windows and login as both of them, apache is confusing the two sessions. The same session variables names are used to store, for example,  'username' and 'userid' of a particular user. If I now flick between browsers to another user and select an option on that page, the user details from the previous browser user appear on the new users page. Why is apache not keeping the sessions seperate.

My webpage says 'Welcome john'(or whoever) when the user logs on. When I log in as someone else e.g. 'Paul' and return to the previous browser and refresh, john changes to Paul. I thought that apache could track seperate sessions and keep them apart. Any ideas

Link to comment
https://forums.phpfreaks.com/topic/118438-session-variables-crossover-problem/
Share on other sites
geroido Member

geroido

Posted
  • Author
Posted

The following code determines if I have a general user or a client logging in. I have concatenated 'CLS_' onto client userid to distinguish them from general users. If it's a general user they are redirected to 'logsin.php' and a client is redirected to 'clientpage.php'. In this code I'm just extracting the first 4 characters of the userid. If they match 'CLS_' then it's a client, if not it's a general user. Can you see anything wrong with the session variable registering .

 

<?php

session_start();

 

include("config.php");

// connect to the mysql server

$link = mysql_connect($server, $db_user, $db_pass)

or die ("Could not connect to mysql because ".mysql_error());

 

// select the database

mysql_select_db($database)

or die ("Could not select database because ".mysql_error());

 

$match = "select userID from $table where username = '".$_POST['username']."'

and userpass = '".$_POST['password']."';";

 

$qry = mysql_query($match)

or die ("Could not match data because ".mysql_error());

$num_rows = mysql_num_rows($qry);

 

 

$row = mysql_fetch_assoc($qry);?><BR><?

$id = $row['userID'];

$userid = $id;

$str = substr($id, 0, 4);

if ($num_rows <= 0) {

echo "Sorry, there is no username $username with the specified password.<br>";

echo "<a href=index.php>Try again</a>";

exit;

} else {

session_register('userid');

$_SESSION['userid'] = $userid;

 

session_register('username');

$_SESSION['username'] = $_POST['username'];

 

 

 

 

}

if ($str == "CLS_")

 

{

 

        ?><meta http-equiv="Refresh" content="0;url=clientpage.php"><?

}

else

{

 

        ?><meta http-equiv="Refresh" content="0;url=logsin.php"><?

}

?>

trq Prolific Member

trq

Posted
Posted

This has nothing to do with your problem but, session_register() has long been depricated, remove them.

 

The only way you can get around your issue is to firstly check if a user is logged in before they attempt to log in. If they are already logged in tell them so and disallow another login.

waynew Advanced Member

waynew

Posted
Posted

This isn't related to your problem but it is a problem. You're not cleaning your external data. I know that it's a project etc but soon enough you'll be creating live systems. And the best way to prepare yourself for live systems is to clean all data coming in from external sources all of the time, regardless of how small the project seems. That way you wont end up forgetting and building systems where there are holes for possible SQL injections or XSS exploits. Imagine spending weeks on a project only to see it damaged by some creep with too much time on his hands?

 

 

See: http://gtfonoob.net/?p=8

 

 

waynew Advanced Member

waynew

Posted
Posted

Regarding your problem:

 

1: Thorpe is right. Session register is outdated.

2: Are you sure that you're not using two browser instances like the guy a few comments said?

3: Have you tried logging out with:

 

session_start();
session_unregister();
session_destroy();

 

And then logging in?

geroido Member

geroido

Posted
  • Author
Posted

Hi thorpe

The problem is not with the same user logging in more than once. I'm logging in with different users. When I go back to a previous users page and refresh, the userid of the that user becomes the same as the new user I just logged in with. My session variables 'userid' and 'username' are being overwritten with those of the newly logged in user. I can't understand why apache is not keeping the different sessions seperate.

trq Prolific Member

trq

Posted
Posted
I can't understand why apache is not keeping the different sessions seperate.

 

Its got nothing to do with apache. As I said, your using one browser instance.

 

The problem is not with the same user logging in more than once. I'm logging in with different users.

 

Shouldn't matter. Check if the user has a session already started, if they do, deny another login.

geroido Member

geroido

Posted
  • Author
Posted

Hi waynewex

I want multiple users to be logged in at the same time. Apache seems to be creating my session variable e.g. $_SESSION['userid']; but it's like it is creating this variable only once no matter how many subsequent users log on. And with each new user it seems to be overwritting $_SESSION['userid'] with that particular users userid. So when I click on the other browser instance which has someone already logged in and refresh, their user details change to the newly logged in user. I'm baffled. I presumed that if a million users log in then apache creates a million instances of the session variable $_SESSION['userid']; - one for each logged in user and protects one from the other. But it's not.

geroido Member

geroido

Posted
  • Author
Posted

I've just done something that seems to solve my problem somewhat. I opened firefox and logged in as a user. I then opened explorer and logged in as another user. I opened another explorer again and logged in as a third user. I clicked around the pages in each browser and all is ok now. So does this mean that I can't have multiple logins in the same browser instance?

The other thing is when you said that session_register() has long been depricated, what do you mean. Does this mean that I just need to put something like $_SESSION['username'] = $_POST['username']; and the session variable will be created. There is no need for the actual line session_register('username'); first??

DarkWater Member

DarkWater

Posted
Posted

Indeed, there is no need for session_register().  But you should do some sanitation on the $_POST['username'] before blindly entering it into the session...But why would someone log in twice with the same browser in the first place? =/

geroido Member

geroido

Posted
  • Author
Posted

I posted a reply but not sure it went through. Anyway, I've opened firefox and two internet explorers and logged into each browser as a different user. I'm no longer getting the problem. They're all seperate logins now. I didn't realise about the single browser instance problem. So thanks a lot for that.

I just have two more things to ask. You said earlier that session_register() has long been depricated. What does this mean. Does it mean that all I have to put is something like $_SESSION['username'] = $_POST['name']; and the session variable will be created? I don't have to put session_register('username'); first?

 

I hope I'm not asking too much but my second question is this. About the single browser instance problem. It's possible for a person to register on my site as a general use(one who avails of the services) and as a client(one who supplies the services). One user can be both these things. What if one of my users is at home and they login as a general user and as a client in the same browser instance(keeping both tabs open and both logins live). This will cause my overwrite problem again. This would seem to be a flaw in my website. Users can't be expected to know that they must open two browser instances.

trq Prolific Member

trq

Posted
Posted
What if one of my users is at home and they login as a general user and as a client in the same browser instance(keeping both tabs open and both logins live). This will cause my overwrite problem again. This would seem to be a flaw in my website. Users can't be expected to know that they must open two browser instances.

 

This would seem to be more of an application design issue. Basically, your users shouldn't need two seperate identities to perform two different tasks. As an example, I am a moderator here on the forum, yet at the same time I am also a user. I don't need to login to two different accounts to post and to moderate. My permissions are simply escalated so that I am able to do both from the one account. admins permissions are escalated even higher, understand?

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.