session variables crossover problem

[geroido]

I've just realised I have a major problem with my website project. My website allows two types of user to log on - a general user and a client. Everything works perfectly well if I log in as one or the other type. However, if I open two browser windows and login as both of them, apache is confusing the two sessions. The same session variables names are used to store, for example,  'username' and 'userid' of a particular user. If I now flick between browsers to another user and select an option on that page, the user details from the previous browser user appear on the new users page. Why is apache not keeping the sessions seperate.

My webpage says 'Welcome john'(or whoever) when the user logs on. When I log in as someone else e.g. 'Paul' and return to the previous browser and refresh, john changes to Paul. I thought that apache could track seperate sessions and keep them apart. Any ideas

[budimir]

Something is wrong with registering sessions! Can you post your code, so we can take a look?

[trq]

Why is apache not keeping the sessions seperate.

 

Because you are using one browser instance.

[geroido]

The following code determines if I have a general user or a client logging in. I have concatenated 'CLS_' onto client userid to distinguish them from general users. If it's a general user they are redirected to 'logsin.php' and a client is redirected to 'clientpage.php'. In this code I'm just extracting the first 4 characters of the userid. If they match 'CLS_' then it's a client, if not it's a general user. Can you see anything wrong with the session variable registering .

 

<?php

session_start();

 

include("config.php");

// connect to the mysql server

$link = mysql_connect($server, $db_user, $db_pass)

or die ("Could not connect to mysql because ".mysql_error());

 

// select the database

mysql_select_db($database)

or die ("Could not select database because ".mysql_error());

 

$match = "select userID from $table where username = '".$_POST['username']."'

and userpass = '".$_POST['password']."';";

 

$qry = mysql_query($match)

or die ("Could not match data because ".mysql_error());

$num_rows = mysql_num_rows($qry);

 

 

$row = mysql_fetch_assoc($qry);?><BR><?

$id = $row['userID'];

$userid = $id;

$str = substr($id, 0, 4);

if ($num_rows <= 0) {

echo "Sorry, there is no username $username with the specified password.<br>";

echo "<a href=index.php>Try again</a>";

exit;

} else {

session_register('userid');

$_SESSION['userid'] = $userid;

 

session_register('username');

$_SESSION['username'] = $_POST['username'];

 

 

 

 

}

if ($str == "CLS_")

 

{

 

        ?><meta http-equiv="Refresh" content="0;url=clientpage.php"><?

}

else

{

 

        ?><meta http-equiv="Refresh" content="0;url=logsin.php"><?

}

?>

[geroido]

It seems that if I have more than one user logged in, it overwrites the values of the old users session variables with the values from the new users session variables.

[waynew]

$_SESSION['username'] = $_POST['username']; 

 

Is this really a good idea?

[geroido]

I'm not sure. What's the problem? I want to display the username on subsequent pages. I'm not sending their password which is needed to log in

[trq]

This has nothing to do with your problem but, session_register() has long been depricated, remove them.

 

The only way you can get around your issue is to firstly check if a user is logged in before they attempt to log in. If they are already logged in tell them so and disallow another login.

[waynew]

This isn't related to your problem but it is a problem. You're not cleaning your external data. I know that it's a project etc but soon enough you'll be creating live systems. And the best way to prepare yourself for live systems is to clean all data coming in from external sources all of the time, regardless of how small the project seems. That way you wont end up forgetting and building systems where there are holes for possible SQL injections or XSS exploits. Imagine spending weeks on a project only to see it damaged by some creep with too much time on his hands?

 

 

See: http://gtfonoob.net/?p=8

 

 

[waynew]

Regarding your problem:

 

1: Thorpe is right. Session register is outdated.

2: Are you sure that you're not using two browser instances like the guy a few comments said?

3: Have you tried logging out with:

 

session_start();
session_unregister();
session_destroy();

 

And then logging in?

[geroido]

Hi thorpe

The problem is not with the same user logging in more than once. I'm logging in with different users. When I go back to a previous users page and refresh, the userid of the that user becomes the same as the new user I just logged in with. My session variables 'userid' and 'username' are being overwritten with those of the newly logged in user. I can't understand why apache is not keeping the different sessions seperate.

[waynew]

When I go back to a previous users page and refresh, the userid of the that user becomes the same as the new user I just logged in with

 

Is this using the same browser?

[trq]

I can't understand why apache is not keeping the different sessions seperate.

 

Its got nothing to do with apache. As I said, your using one browser instance.

 

The problem is not with the same user logging in more than once. I'm logging in with different users.

 

Shouldn't matter. Check if the user has a session already started, if they do, deny another login.

[geroido]

Hi waynewex

I want multiple users to be logged in at the same time. Apache seems to be creating my session variable e.g. $_SESSION['userid']; but it's like it is creating this variable only once no matter how many subsequent users log on. And with each new user it seems to be overwritting $_SESSION['userid'] with that particular users userid. So when I click on the other browser instance which has someone already logged in and refresh, their user details change to the newly logged in user. I'm baffled. I presumed that if a million users log in then apache creates a million instances of the session variable $_SESSION['userid']; - one for each logged in user and protects one from the other. But it's not.

[trq]

The problem is that your browser puts all cookies into one pool. So if you login twice with the one browser instance, the last login will overide the first.

[geroido]

I've just done something that seems to solve my problem somewhat. I opened firefox and logged in as a user. I then opened explorer and logged in as another user. I opened another explorer again and logged in as a third user. I clicked around the pages in each browser and all is ok now. So does this mean that I can't have multiple logins in the same browser instance?

The other thing is when you said that session_register() has long been depricated, what do you mean. Does this mean that I just need to put something like $_SESSION['username'] = $_POST['username']; and the session variable will be created. There is no need for the actual line session_register('username'); first??

[DarkWater]

Indeed, there is no need for session_register().  But you should do some sanitation on the $_POST['username'] before blindly entering it into the session...But why would someone log in twice with the same browser in the first place? =/

[geroido]

I posted a reply but not sure it went through. Anyway, I've opened firefox and two internet explorers and logged into each browser as a different user. I'm no longer getting the problem. They're all seperate logins now. I didn't realise about the single browser instance problem. So thanks a lot for that.

I just have two more things to ask. You said earlier that session_register() has long been depricated. What does this mean. Does it mean that all I have to put is something like $_SESSION['username'] = $_POST['name']; and the session variable will be created? I don't have to put session_register('username'); first?

 

I hope I'm not asking too much but my second question is this. About the single browser instance problem. It's possible for a person to register on my site as a general use(one who avails of the services) and as a client(one who supplies the services). One user can be both these things. What if one of my users is at home and they login as a general user and as a client in the same browser instance(keeping both tabs open and both logins live). This will cause my overwrite problem again. This would seem to be a flaw in my website. Users can't be expected to know that they must open two browser instances.

[waynew]

Yes.

All you have to do is:

 

$_SESSION['foo'] = "bar";

[trq]

What if one of my users is at home and they login as a general user and as a client in the same browser instance(keeping both tabs open and both logins live). This will cause my overwrite problem again. This would seem to be a flaw in my website. Users can't be expected to know that they must open two browser instances.

 

This would seem to be more of an application design issue. Basically, your users shouldn't need two seperate identities to perform two different tasks. As an example, I am a moderator here on the forum, yet at the same time I am also a user. I don't need to login to two different accounts to post and to moderate. My permissions are simply escalated so that I am able to do both from the one account. admins permissions are escalated even higher, understand?

[geroido]

I see. Yes that's a design issue alright. I'll alter that at some stage soon. Thanks