Jump to content

SESSIONS mixing

balzano_1

By balzano_1
in PHP Coding Help

 Share

Recommended Posts

balzano_1 Newbie

balzano_1

Posted
Posted

Hi,

 

I have noticed an issue with SESSIONS in PHP, this is the case:

 

The website allows users to login, however; when i login on to the site from the same Machine using two instances of firefox at the same time, but with different accounts let’s say user A and user B , what i noticed is user B over rides use A's login screen, so instead of user A seeing his details he will end up seeing user B's details.

 

I have a hunch as to why this is happening, i think its related to the session_name(), when user A logs in, he creates a cookie called PHPSESSID then when user B logs in he over writes PHPSESSID with his details, thus user A now is using user B's cookie.

 

I've tried using unique session names but i can’t figure out how to maintain them throughout the site, and i would like to post the code but I’m out of the office right now I’ll be back in tomorrow.

 

Any suggestions will be much appreciated.

 

Thank you,

Balzano

 

Link to comment
Share on other sites
ManiacDan Regular Member

ManiacDan

Posted
Posted

Sessions are tied to a specific browser.  You can't be logged in as one user in one tab and another user in another tab in the same browser, it just doesn't work that way.

 

What are you trying to accomplish here?  What purpose would it serve?  Couldn't you just log in as userA in firefox and userB in chrome and be done with it?

Link to comment
Share on other sites
balzano_1 Newbie

balzano_1

Posted
  • Author
Posted

I see, well what i'm trying to accomplish is preventing that from happening, i have as you said tried this scenario on the same machine but on two different browsers firefox and IE at the same time and it worked fine with no mixing.

 

I'm sure there is a way around this, Maybe if i prevent additional logins from the same browser as long as there is a cookie tied to that session ?

 

Thanks,

Balzano

Link to comment
Share on other sites
balzano_1 Newbie

balzano_1

Posted
  • Author
Posted

Prevent what from happening?

 

Describe the problem.

 

Describe your desired solution.

 

Note that dzelenika's solution won't work, since you'll never be able to tell which cookie is which.

 

The problem:

With my website, a user can open a browser, login to my site, open another tab within the same browser, login on with a different user account, when he switches back to the previous tab he realizes his initial session is now overwritten by the newer tab.

 

Desired solution:

I would like to restrict active logins to only one per browser, so if the user logs in, opens another tab and visits the login page, he will be redirected to the already logged in account.

 

Hope that clarifies things.

 

Thanks,

Balzano

 

 

Link to comment
Share on other sites
kicken Prolific Member

kicken

Posted
Posted

The problem:

With my website, a user can open a browser, login to my site, open another tab within the same browser, login on with a different user account, when he switches back to the previous tab he realizes his initial session is now overwritten by the newer tab.

 

Have your login page check if someone is already logged in.  If they are, you can either:

A) Log them out then show the login form plus a message saying they have been logged out -or-

B) Redirect them to whatever page they would normally go to after a successful login. (probably your preferred option)

 

 

Link to comment
Share on other sites
balzano_1 Newbie

balzano_1

Posted
  • Author
Posted

The problem:

With my website, a user can open a browser, login to my site, open another tab within the same browser, login on with a different user account, when he switches back to the previous tab he realizes his initial session is now overwritten by the newer tab.

 

Have your login page check if someone is already logged in.  If they are, you can either:

A) Log them out then show the login form plus a message saying they have been logged out -or-

B) Redirect them to whatever page they would normally go to after a successful login. (probably your preferred option)

 

Thanks for the suggestion, however; i already do this if the same user tries to log in with the same account more than once, in this case though, we have the same user trying to log into two different accounts (eg account A and account B) from the same browser.

 

I guess the bottom line is, how would i be able to use PHP to identify that duplicate logins are happening from the same browser.

 

 

 

Link to comment
Share on other sites
kicken Prolific Member

kicken

Posted
Posted

Thanks for the suggestion, however; i already do this if the same user tries to log in with the same account more than once, in this case though, we have the same user trying to log into two different accounts (eg account A and account B) from the same browser.

 

Then your not doing what I suggest.  If you did what I would suggest, the user would never even have the option to login again, as them self or as another use, without logging out first.

 

pseudo code:

<?php

session_start();
if (isset($_SESSION['logged_in']) && $_SESSION['logged_in'])){
   //somebody is logged in already
   //redirect to the home page
   header('Location: index.php');
   exit;
}

if (count($_POST) > 0){
   //process submitted login form.
}

//show login form.
?>

Link to comment
Share on other sites
xyph Advanced Member

xyph

Posted
Posted

You would have to make your browser and the remote server 'know' which cookie is tied to each tab. Your sessions would also have to have unique cookie names.

 

You have to have a variable specific to each tab, that won't propagate to the other tabs. This means cookies are out of the question.

 

You could force a secondary token to be passed through the query string. This would have to be added to every list. Have a matching token stored within the session that links it to a specific cookie. This can open up security holes though.

You could turn each link into a form submission, and pass the same token through a hidden field. This prevents a user from accidentally copy+pasting their token somewhere public.

 

Regardless, you won't be able to use PHP's default session handler.

Since there's no legitimate reason you should have this system set up, I suggest using one of the above solutions that prevents the log-in screen from displaying if a user has already logged in.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.