Jump to content

[SOLVED] Multiple Sessions by Folder

janusmccarthy

By janusmccarthy
in PHP Coding Help

 Share

Recommended Posts

janusmccarthy Newbie

janusmccarthy

Posted
Posted

Here's the situation.  We have a domain ( let's call it www.foobar.com) and at this domain each department is given their own folder (www.foobar.com/finance, www.foobar.com/research, etc).

 

In each of the department's respective webfolders is installed a program that keeps track of its users via sessions through session_start(). 

 

Unfortunately, once you've signed in on finance, you can walk over to research their tool marks you as logged in because of the session variable.

 

This (needless to say) is not what is wanted.

 

I would like to restrict the cookie to the domain/folder in which it is assigned.  I suspect setting the session name or the session path is involved in the fix, however, it hasn't worked for me thus far.

 

Session Autostart is not on.

 

Any ideas?

Link to comment
Share on other sites
milesap Member

milesap

Posted
Posted

Session data is stored on the server, not the person's computer. What is stored on the users computer is a cookie that contains an arbitrary reference number. The server receives the reference number from the users cookie, and then fetches the session data that is associated to that reference number.

 

Thus, a much better way of dealing with this problem is to set a variable in the session which tells the scripts (in the other folders) which folder you originally signed in on. Example: If use A signs into finance, set $_SESSION['signed_id'] = 'finance'. Then check the 'signed_id' before executing the finance script, if it's value is not finance then display an error.

Link to comment
Share on other sites
janusmccarthy Newbie

janusmccarthy

Posted
  • Author
Posted

Session data is stored on the server, not the person's computer. What is stored on the users computer is a cookie that contains an arbitrary reference number. The server receives the reference number from the users cookie, and then fetches the session data that is associated to that reference number.

 

Thus, a much better way of dealing with this problem is to set a variable in the session which tells the scripts (in the other folders) which folder you originally signed in on. Example: If use A signs into finance, set $_SESSION['signed_id'] = 'finance'. Then check the 'signed_id' before executing the finance script, if it's value is not finance then display an error.

 

That won't work.  There are times when a person should be able to cross groups (me, for example, as someone who has to support users across groups as well as my own development area).

Link to comment
Share on other sites
PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

Your login in/member system needs groups/permissions. It should not just be enough that someone is logged in, they must also be a member of the group that has permission to access any particular resource.

 

Edit: Anything you can do to the underlying operation of the session (or the session id cookie) would prevent any one from being able to access more than one folder. You must handle this with code on each page (in your common logged in check logic) to check if the current logged in visitor has permission to access that particular page.

Link to comment
Share on other sites
janusmccarthy Newbie

janusmccarthy

Posted
  • Author
Posted

Your login in/member system needs groups/permissions. It should not just be enough that someone is logged in, they must also be a member of the group that has permission to access any particular resource.

 

Edit: Anything you can do to the underlying operation of the session (or the session id cookie) would prevent any one from being able to access more than one folder. You must handle this with code on each page (in your common logged in check logic) to check if the current logged in visitor has permission to access that particular page.

 

This is basically correct.  I modified the session id cookie with a path by using the following bit of code where I create the session:

 

      session_set_cookie_params  ( 0, {PATH});
      session_start();

where {PATH} is the directory path from the host. 

(e.g.  if http://www.mypages.com/boromir and boromir is the webfolder that I want to restrict the cookie's access to, then {PATH}='/boromir')

 

There end up being two cookies in my cookie jar with session name PHPSESID (or whatever it's called).  They are differentiated only by the path.

 

 

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.