Sessions - Development Vs Deployment

ashish_hareet

Setup - WinXP + PHP4 + Apache

I've managed to get my login page & I'm basically able to protect the members only area using sessions.

One problem though -
whenever I open two browser windows separately & login as two different users, the next call to one user specfic request results in the details of the other user. Will this happen once I deploy the site on the net ? 😕

I'll make this more clear -

User X logs in resulting in a "Welcome User X" string with logout option
User Y logs in using another browser window resulting in "Welcome User Y" string & a logout option
Refersh bowser where user X logged in & hey - you get "Welcome User Y"

In case I repeat steps 1 & 2 & logout - say user X - & then referesh the screen where user Y logged in, then user Y is also logged off.

A peek at the dir where my session files are stored revealed that it makes only one file even though I've got mutliple users to track.

The question's are as follows -

Do I need to change my php.ini file so that seperate session files are created for each user ?
Willl this problem occur once I deploy it on the net - our server is not yet up so I can't really try it out .
Do I need to do something extra for this to work - say cookies or unique session id's, etc.
Is it coz I'm notting creating any unique sessions id's for my user - I'm relying on the defaults.
[/list=1]

Any & all help would be greatly appreciated
Cheers,
Ashish H.

spirp

If you're using the defaults, it's supposed to work like this. This is what happens:

Log in
Sessions is created, and a cookie is set with the current session ID (sess_x).
Log in again (in another window)
Another session is created, and the new session ID (sess_y) is set in the cookie created in the previous step
Reload the page in the first browser-window
The page is GET:ed, and the script gets the session ID stored in the cookie, sess_y.
Log out
The session ID (sess_y) from the cookie is destroyed. The first session (sess_x) remains, as there is nothing telling the script to destroy it.

I guess this could be fixed by using the URL rewriting mode of PHP Sessions, but I'm not sure it would help. Try and tell us 🙂

Good luck,
Olle

jabba_29

1: No, this happens with sessions everywhere, ie using PHP, JSP etc.

2: Yes

3: Session id's are unique. However, if you log in, start session, then log off. Then log in again, the session id is the same if you haven't closed your browser already.

4: No

If you want to open 2 sessions at a time, use different browsers :-)

Jamie

spirp

I'm not sure, but wouldn't it be possible to solve this problem with the URL-rewriting technique? This shouldn't create a cookie, and therefor the two instances the browser creates shouldn't have anything in common (except for a whole bunch of things, but their sessions should be separate)?

//Olle

mrgym

I don't know if you're using any session or auth classes, but any time you use session_start() it sends a header with a cookie -- see second page of this article;

http://www.onlamp.com/pub/a/php/excerpt/webdbapps_8/

What you could do is;

Use another (second) browser for development. this will give you two views I suggest Opera (opera.com).
Don't use classes that use session_start(). You would have to use a session variable (polynomial) in the URL (http://blah.com?sess=polynomial) that would be linked to entries in a database table. ( sess_id, polynomial, serialized variables). This sort of functionality is seen in phplib. (I BELIEVE that pear only uses cookie)

keith73

Sounds like you're using cookies to maintain the sessions. When you open a new browser window, using the same browser, it will just overwrite the original cookie.

I usually allow the user to allow a cookie to be set, or not to use cookies. When they login, a radio button value of yes or no (1/0,true/false) is passed with their login info. If they opt to use cookies, a cookie is set. If they don't want to use cookies, then cookies must be turned off before calling session_start(); this will automatically append the session ID name = session id to all links on the page.

ini_set('session.use_cookies',FALSE);
session_start();

The session code is in 1 file which gets included in each of the other pages.

After login, I check to see if a cookie is set. If no, it will call ini_set again before calling session_start.

keith