balzano_1 Posted December 21, 2011 Share Posted December 21, 2011 Hi, I have noticed an issue with SESSIONS in PHP, this is the case: The website allows users to login, however; when i login on to the site from the same Machine using two instances of firefox at the same time, but with different accounts let’s say user A and user B , what i noticed is user B over rides use A's login screen, so instead of user A seeing his details he will end up seeing user B's details. I have a hunch as to why this is happening, i think its related to the session_name(), when user A logs in, he creates a cookie called PHPSESSID then when user B logs in he over writes PHPSESSID with his details, thus user A now is using user B's cookie. I've tried using unique session names but i can’t figure out how to maintain them throughout the site, and i would like to post the code but I’m out of the office right now I’ll be back in tomorrow. Any suggestions will be much appreciated. Thank you, Balzano Quote Link to comment Share on other sites More sharing options...
ManiacDan Posted December 21, 2011 Share Posted December 21, 2011 Sessions are tied to a specific browser. You can't be logged in as one user in one tab and another user in another tab in the same browser, it just doesn't work that way. What are you trying to accomplish here? What purpose would it serve? Couldn't you just log in as userA in firefox and userB in chrome and be done with it? Quote Link to comment Share on other sites More sharing options...
balzano_1 Posted December 21, 2011 Author Share Posted December 21, 2011 I see, well what i'm trying to accomplish is preventing that from happening, i have as you said tried this scenario on the same machine but on two different browsers firefox and IE at the same time and it worked fine with no mixing. I'm sure there is a way around this, Maybe if i prevent additional logins from the same browser as long as there is a cookie tied to that session ? Thanks, Balzano Quote Link to comment Share on other sites More sharing options...
dzelenika Posted December 21, 2011 Share Posted December 21, 2011 It is possible to have two logins, without mixing, in two different tabs. You should dynamically create session names for each login. Different session names are different cookies so there's no data mixing. Quote Link to comment Share on other sites More sharing options...
ManiacDan Posted December 21, 2011 Share Posted December 21, 2011 Prevent what from happening? Describe the problem. Describe your desired solution. Note that dzelenika's solution won't work, since you'll never be able to tell which cookie is which. Quote Link to comment Share on other sites More sharing options...
balzano_1 Posted December 21, 2011 Author Share Posted December 21, 2011 Prevent what from happening? Describe the problem. Describe your desired solution. Note that dzelenika's solution won't work, since you'll never be able to tell which cookie is which. The problem: With my website, a user can open a browser, login to my site, open another tab within the same browser, login on with a different user account, when he switches back to the previous tab he realizes his initial session is now overwritten by the newer tab. Desired solution: I would like to restrict active logins to only one per browser, so if the user logs in, opens another tab and visits the login page, he will be redirected to the already logged in account. Hope that clarifies things. Thanks, Balzano Quote Link to comment Share on other sites More sharing options...
kicken Posted December 21, 2011 Share Posted December 21, 2011 The problem: With my website, a user can open a browser, login to my site, open another tab within the same browser, login on with a different user account, when he switches back to the previous tab he realizes his initial session is now overwritten by the newer tab. Have your login page check if someone is already logged in. If they are, you can either: A) Log them out then show the login form plus a message saying they have been logged out -or- B) Redirect them to whatever page they would normally go to after a successful login. (probably your preferred option) Quote Link to comment Share on other sites More sharing options...
dzelenika Posted December 21, 2011 Share Posted December 21, 2011 Note that dzelenika's solution won't work, since you'll never be able to tell which cookie is which. You're right. Sorry for wrong sugestion balzano_1. I found some workarounds on Internet but they are relatively complicated. Quote Link to comment Share on other sites More sharing options...
balzano_1 Posted December 21, 2011 Author Share Posted December 21, 2011 The problem: With my website, a user can open a browser, login to my site, open another tab within the same browser, login on with a different user account, when he switches back to the previous tab he realizes his initial session is now overwritten by the newer tab. Have your login page check if someone is already logged in. If they are, you can either: A) Log them out then show the login form plus a message saying they have been logged out -or- B) Redirect them to whatever page they would normally go to after a successful login. (probably your preferred option) Thanks for the suggestion, however; i already do this if the same user tries to log in with the same account more than once, in this case though, we have the same user trying to log into two different accounts (eg account A and account B) from the same browser. I guess the bottom line is, how would i be able to use PHP to identify that duplicate logins are happening from the same browser. Quote Link to comment Share on other sites More sharing options...
kicken Posted December 21, 2011 Share Posted December 21, 2011 Thanks for the suggestion, however; i already do this if the same user tries to log in with the same account more than once, in this case though, we have the same user trying to log into two different accounts (eg account A and account B) from the same browser. Then your not doing what I suggest. If you did what I would suggest, the user would never even have the option to login again, as them self or as another use, without logging out first. pseudo code: <?php session_start(); if (isset($_SESSION['logged_in']) && $_SESSION['logged_in'])){ //somebody is logged in already //redirect to the home page header('Location: index.php'); exit; } if (count($_POST) > 0){ //process submitted login form. } //show login form. ?> Quote Link to comment Share on other sites More sharing options...
ManiacDan Posted December 22, 2011 Share Posted December 22, 2011 What kicken is saying is: If the user attempts to visit the login page If they are already logged in Don't show the login page, kick them to the index page instead. Quote Link to comment Share on other sites More sharing options...
xyph Posted December 22, 2011 Share Posted December 22, 2011 You would have to make your browser and the remote server 'know' which cookie is tied to each tab. Your sessions would also have to have unique cookie names. You have to have a variable specific to each tab, that won't propagate to the other tabs. This means cookies are out of the question. You could force a secondary token to be passed through the query string. This would have to be added to every list. Have a matching token stored within the session that links it to a specific cookie. This can open up security holes though. You could turn each link into a form submission, and pass the same token through a hidden field. This prevents a user from accidentally copy+pasting their token somewhere public. Regardless, you won't be able to use PHP's default session handler. Since there's no legitimate reason you should have this system set up, I suggest using one of the above solutions that prevents the log-in screen from displaying if a user has already logged in. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.