Create a new session variable for each website instance.

@paishinFeb 12.2011

Hello everyone,
I have a website running multiple times on the same server.
The websites use session id to know if a user is logged in or not.
The problem is that once the user loggs in to one of the applications, he is automatically logged in to all of them.

This shouldn’t happen.
Any ideas how i can create unique session id’s for each instance?

thank you

to post a comment

PHP

@NogDogFeb 12.2011 — #If the scripts are all running on the same domain, then yes, they will share session data. An exception would be if they are on different sub-domains [b]and[/b] your PHP session.cookie_domain setting is configured to include the sub-domain part.

Otherwise, you will need to add another $_SESSION element to indicate if a user is logged in to a specific "application". In fact, you may want to simply make your $_SESSION array elements multi-dimensional, where the first dimension indicates the application:

[code=php]
 $_SESSION['app_1']['user'] = "NogDog";
 $_SESSION['app_1']['some_data'] = 123.456;
 [/code]

Then within application #1, you would check to see if $_SESSION['app_1']['user'] is set, and any data specific to that application would be under that same 'app_1' key (or whatever you want to call it, obviously).

@MigFeb 21.2011 — #Just to jump into this thread and continue, will a session array carry over to other domains on the same server, or is it purely unique to the domain?

e.g. If I set a session var with a very common key like $_SESSION['uid'], is there any way this can be overwritten by another domain on the same server?

@Jarrod1937Feb 21.2011 — #The actual information contained within the $_SESSION super global is actually contained within a file (or a database table, if custom implementation) on the server. The "key" used to access that data store is known as the session id, a unique hash generated for each user (usually made to be as unpredictable as possible, for security). Now, the session id can be sent to the user by two methods:

1.) In the URL as a GET var. However, this method is insecure and isn't widely used. Consider someone sniffing on a network, even if your page is encrypted via SSL, the request URL is still visible, and so is your session id. The session id also has a higher chance of being captured in 3rd party server logs this way (via the "referer" header). And lastly, if you accept the session id through the URL, but don't include extra checks, you make your site vulnerable to session fixation (i send you to example.com/index.php?sessionid=hacked, now i know your session id and can hijack it at any time...).

2.) The main choice is to pass the session id within a cookie to the user. A cookie is simply a small file on each users computer to store data (never use a cookie for anything directly, thats also insecure). This makes it a lot more secure (though not foolproof), than the GET var method. However, cookies have whats called a same domain policy, which is to increase the security of a cookie, otherwise other sites could just grab your session cookie and impersonate all of your users. But this limitation also makes it impossible to have one site alter the actual session information set by another site... that is unless you pass the cookie through the URL or use a login and session system that is third party to both (which will use a third party cookie).

Create a new session variable for each website instance.

3 Comments(s) _↴

Also in #PHP _↴

Success!

Social

Version

Create a new session variable for each website instance.

3 Comments(s) ↴

Also in #PHP ↴

Success!

The web is an endless sea of information. Don't miss the boat... Subscribe!

Social

Version

3 Comments(s) _↴

Also in #PHP _↴