How to restrict login session across browser windows in PHP

[PHPT]

Hi,

How to restrict login session across browser windows in PHP.

After login if we access the pages that are to be accessed after login in separate tabs or browser windows we are able to access. In all these the login sessions are maintained.

How can we restrict the users from accessing the pages that are to be accessed after login using separate browser windows. If they try to access we need to direct them to login page again. How can we do these.

Please suggest. Thanks.

Edited August 8, 2023 by PHPT

[requinix]

PHP can't tell the difference between one tab/window or another. The only option is to restrict all browsing such that the user never even leaves the page at all: by rewriting your site from the ground-up into a single-page application ("SPA"), meaning you're going to set aside a lot of PHP and do the majority of work in Javascript with frameworks like React.

And by the way, this is a bad idea.

[PHPT]

Hi,

Thank you for your reply. 

We are doing performance testing for our PHP web application using jmeter. 

We are trying to login as different users using each browser windows in chrome. So we asked this query. 

 

[Drummin]

There are a number of way to do this, but one basic way is to define the accepted access "levels" on the page and checking the $_SESSION['secure_level'] which is set at login against the page access level on a common CheckPass page. So on a page you might have

<?php
session_start();
$sections = array("Agent","Admin");
include 'CheckPass.php';

Then on your CheckPass page you might have something like this

if(empty($_SESSION['secure_level']) || !in_array($_SESSION['secure_level'],$sections)){
    unset($_SESSION['secure_id']);
    unset($_SESSION['secure_level']);
    session_destroy();
    header("location: ../login.php");
    exit;
}

EDIT:

Guess I misread the op question in that it is not a direct matter of permission but a second login situation.

Edited August 9, 2023 by Drummin
Edit added,

[kicken]

6 hours ago, PHPT said:

We are trying to login as different users using each browser windows in chrome

If you want to be able to login multiple times for testing, use private browsing windows.  Each private browser window will have it's own session.

[maxxd]

Firefox has an extension called Multi-Account Containers that allows you to basically sandbox each tab and prevent communication. Much like using private windows, but in tabs.

[requinix]

7 hours ago, kicken said:

If you want to be able to login multiple times for testing, use private browsing windows.  Each private browser window will have it's own session.

Not Chrome. All incognito windows share the same session data.

[requinix]

14 hours ago, PHPT said:

We are doing performance testing for our PHP web application using jmeter. 

We are trying to login as different users using each browser windows in chrome. So we asked this query. 

Understand that this is a completely different problem than the one you asked for. Specifically, this is a great example of the X/Y problem: asking about your solution of "how to restrict window/tab sessions in PHP" as a means of accomplishing "we want to run some performance testing using multiple independent Chrome windows".

Chrome is capable of running an instance (of the version installed on the computer) using a specific profile directory. It takes a little more setup since you need to create multiple profile directories, but that can be done mostly automatically with appropriate automation.

If you're searching the internet for answers then look in the direction of automated UI testing: that universally involves scripting a browser to perform actions, which is what you want to do.

[kicken]

3 hours ago, requinix said:

All incognito windows share the same session data.

Hm, so they do.  I could have swore I used that trick in the past, but maybe I just did one regular and one private window.

In any case, JMeter doesn't use the browser so there's no problem using it to run requests as multiple users if that's the goal.  Each test thread can have it's own session state and thus user.  Definitely an X/Y problem here.