Unique Session variable enough? getting logged out and in on every project

[lobfredd]

Hello!

Everybody in my class have their own folder on a domain, so its like: www.thedomain.no/nameofstudent.

The problem we are facing is that when i log in on my  site i also get logged in on all the other students sites too...

(we are all using Dreamweaver CS5.5)

 

We all have a: Welcome, USERNAME, massage on our sites. However if i first log in on my site, then visit another students site i get the massage: Welcome, (and the username i logged in with on my site!)

 

another problem is when i try to access the shopping cart of student X's site (then i get redirected to the loging page on his site), If i then leave that tab open in chrome and open a new one, then i go to my login page in than new tab ON my site, then i log in on my site. Instead of getting redirected to MY index i get redirected to  student X's shopping cart...

 

I tried to rename the Session variable without luck. (default dreamweaver is $_Session['MM_Username'])

 

Any Suggestions?

 

Hope i made myself understandable

Thanks

[xyph]

This seems like the issues caused by session over-use. Use sessions only to track state, not things like page redirects, or other information that could get changed by a user having the same site open in multiple tabs.

 

The easiest, and most secure solution IMO is a custom session handler. One that tracks which 'subdirectory' the session belongs to.

 

Problem here is that a cookie will be accessible to all paths above the one it was set it. A cookie set in the root, will be accessible from both root/folderA and root/folderB.

 

Subdomains could be another solution as well, unless a cookie is set to '.domain.com', it won't be accessible from subdomains.

[WebStyles]

Just a suggestion: This also sounds like the website is doing some sort of IP based check, and since you're all using the same network, chances are you all arrive with the same router IP.

[Jessica]

Aren't sessions and cookies on the domain, not the folder?

 

If you renamed the session variable, then there's no way that their code which is looking for MM_Username would accept your name which is NOT MM_Username.

[lobfredd]

Aren't sessions and cookies on the domain, not the folder?

 

If you renamed the session variable, then there's no way that their code which is looking for MM_Username would accept your name which is NOT MM_Username.

 

I thought the same so i renamed mine, however the problem still exists..

Dreamweaver got a little mad when i changed it. with the slightest change to MM_Username i got this error:

 

and there were suddently 2 Log in User in the server behavior list.. 

 

This is from my login.php

  //declare two session variables and assign them

    $_SESSION['fgnuser'] = $loginUsername;

    $_SESSION['fgnuserg'] = $loginStrGroup;      

 

and this is from my logout.php

<?php
// *** Logout the current user.
$logoutGoTo = "index.php";
if (!isset($_SESSION)) {
  session_start();
}
$_SESSION['fgnuser'] = NULL;
$_SESSION['fgnuserg'] = NULL;
unset($_SESSION['fgnuser']);
unset($_SESSION['fgnuserg']);
if ($logoutGoTo != "") {header("Location: $logoutGoTo");
exit;
}
?>

 

So the weird thing is when i click the logout button on one of my class mates sites i get logged out from mine too..

 

EDIT: kinda figured something out, could one of the students maybe destroy the whole cookie or something to logout?

[Jessica]

Well, stop using dreamweaver is my next tip.

 

If this is a class project why doesn't your professor know how to handle the problem?