Multi-users with session

Techissue2008

Hi,

I have 2 php programs. Both use the same session_start();

User A login to 1st php page, User B login to 2nd php page (request points to login).

User A login after B's login.

I set point condition for user to login to 2nd php page (but not 1st php page), they need to have certain points and able to login to 2nd page, otherwise, he will be redirected to other page.

User A does NOT has certain points, but B has.

B logged in and view 2nd page. A logged in to view 1st page. B was forced to redirect to other page. It means User A's session replaced B's in 2nd page.

How to handle multi-users with session?

Thanks for help

NogDog

Are you testing by using two login accounts on the same PC using the same browser (different tabs or browser windows)? If so, then that's likely the problem, as the browser would be sending the same session cookie.

You'll either need two separate computers, or simply use two different browsers on the same one (e.g.: IE and Firefox) so that each uses its own cookies.

Techissue2008

I tested it on 2 computers with different browsers.

Sometimes, after user A login, A can view B's info.

How can it be fixed as it is critical bug?

NogDog

I'm sure it can be "fixed", but not without understanding what is wrong in the code in the first place. Each session should be getting its own unique session ID, and that session ID is used to differentiate which session data is accessed on the host. If one user's session is seeing another's, then either you are somehow having them use the same session ID via misuse of the session functions, you have used a custom session handler function/class with one or more errors in it, or you have stumbled upon a PHP bug of which I am unaware.

Techissue2008

It is the php code for session created in login page with enter button:

<?php
ob_start();
$login=$_POST['enter'];
if($login)
{ 
$username=$_POST['username'];
$password=$_POST['password'];
//...code to connect to DB
$result=mysql_query("select username, password from user where username='$username' and password='$ppassword'");
if(mysql_num_rows($result)!='0')
	{
	  $_SESSION['log'] = 1;
          $_SESSION['username'] = $username;
	  while (ob_get_level())
          ob_end_clean();
          header("location: 1st.php"); 
	  ob_end_flush();
          exit();
         }
} 
?>

It is the php code for getting session in after login page, i.e. 1st.php

<?php
session_start();
ob_start();
if ($_SESSION['log'] !== 1) {
    unset($_SESSION['log']);
    header('location: register.php');
    ob_end_flush();
    exit();
}
else
{
	if(isset($_SESSION['username']))
	{
	$username = $_SESSION['username'];
//below is the program code to use the $username variable.

I only use the above code for session username.

I have many php pages using the $username variable.

When different users login to the program, sometimes, not each time, they will view other people's info.
e.g., User A login, 1st page will display "Hello, Mr A, welcome to my website".
However, I tried that when User A login, it shows "Hello, Mr B, welcome to my website". and shows Mr B's info.
It made me crazy. Any mistake of the session code?

I use php 5. I have to use ob_start() and ob_end_clean(); otherwise, it will have error page.

laserlight

It is the php code for session created in login page with enter button:

The use of output buffering is unnecessary here and obscures the correct logic. I think the problem is that you do not actually use session_start() before attempting to register session variables. It also seems that $SESSION['log'] is just a flag that is set when the user logs in. However, since you set the username when the user logs in, you might as well just use that instead. As such, I think you should write something along these lines:

<?php
if (isset($_POST['enter'], $_POST['username'], $_POST['password']))
{
    //...code to connect to DB
    $username = mysql_real_escape_string($_POST['username']);
    $password = mysql_real_escape_string($_POST['password']);
    $result = mysql_query("SELECT COUNT(*) FROM `user`
        WHERE `username`='$username' AND `password`='$password'");

if (mysql_result($result, 0) == 1)
{
    session_start();
    $_SESSION['username'] = $_POST['username'];

    // Redirect the user (example adapted from PHP manual on header).
    $host = $_SERVER['HTTP_HOST'];
    $uri = rtrim(dirname($_SERVER['PHP_SELF']), '/\\');
    header("location: http://$host$uri/1st.php");
    exit;
}
else
{
    // Print login error message.
}
}
else
{
    // Print login form, etc.
}
?>

It is the php code for getting session in after login page, i.e. 1st.php

Likewise, output buffering is unnecessary. I would suggest something along these lines:

<?php
session_start();

if (!isset($_SESSION['username']))
{
    // Destroy the session (example taken from PHP manual on session_destroy).
    $_SESSION = array();
    if (isset($_COOKIE[session_name()])) {
        setcookie(session_name(), '', time() - 42000, '/');
    }
    session_destroy();

// Redirect the user (example adapted from PHP manual on header).
$host = $_SERVER['HTTP_HOST'];
$uri = rtrim(dirname($_SERVER['PHP_SELF']), '/\\');
header("location: http://$host$uri/register.php");
exit;
}

echo 'Hello ' . htmlspecialchars($_SESSION['username']); // example...
// ...
?>

I have to use ob_start() and ob_end_clean(); otherwise, it will have error page.

Instead of using output buffering, make sure that you never print any output before sending a header (and that includes using session_start and setcookie).