Session Problem

philosophology

I have coded a simple user authentication for my website and there is a problem. When I log in on firefox on another tab then the sessions get messed up, this creates a security problem where a user is suddenly authenticated as the admin if admin has logged in on the first tab.
I am guessing the second tab is using the session data from the first tab. How can make sure that this doesn't happen? How can I do a new session each time there is a new tab or window?

philosophology

I just realized another problem...
Sessions from www.mydomain.com and mydomain.com are different! I can go to one or another and log in and then the sessions get messed up too.

Since I'm not getting any replies, can anyone at least tell me where I can find standard procedures for doing an user authentication system? or if you have previously done it and can share some experiences...

thanks.

NogDog

Cookies are browser-wide, not tab-specific. If you want to test different users from the same PC, use different browsers (such as Firefox and IE, or IE and Opera, etc.).

To negate the effect of the subdomain on your session cookies, set session.cookie_domain to ".domain.com" (note the leading ".") in your PHP config.

philosophology

That didn't work.

Does anyone have experience in implementing sessions? I think I may very well write the whole damn thing from scratch.

NogDog

What did you change? If you changed the php.ini file, did you restart the web server? Did you make sure the change "took" (whether by php.ini or a .htaccess file) by checking the value via ini_get() or phpinfo() in a script? Also don't forget to clear the applicable cookies on your browser after making changes in order to make sure you're not using old cookies.

And yes, I have plenty of experience with implementing sessions and never really had any problems with them.

philosophology

Yes I just looked at the phpinfo() and restarted everything and cleared the browser cookies. Still, www.mydomain.com does not use the same sessions as mydomain.com

Other than that, I was wondering if you could please guide me as how to code the sessions, I don't expect code, but at least maybe a series of tasks that I should do.

Right now this is what my code looks like:

index page:

...

    if (isset($_SESSION['valid_user'])){
	//$username = $_SESSION['valid_user'];
	header("Location: member.php");
} else {
	// unsuccessful login do NOTHING!
}

member page:

...

if ($username && $passwd)
// they have just tried logging in
{
	$loggedin = login($username, $passwd);

if (!$loggedin)
{
	// unsuccessful login
echo ('Problem: ');
echo 'You could not be logged in. You must be logged in to view this page. ';
	echo ('<a href="index.php">Log in</a>');
	echo "</BODY></HTML>";
	exit;
} else {
	// if they are in the database register the user id
	$_SESSION['valid_user'] = $username;
}
} 

if (isset($_SESSION['valid_user'])){
	$username = $_SESSION['valid_user'];
} else {
	// unsuccessful login
   echo ('Problem: ');
   echo 'You could not be logged in. You must be logged in to view this page. ';
   echo ('<a href="index.php">Log in</a>');
   echo "</BODY></HTML>";
	exit;
}

// Check what the user's function is (i.e. member, admin, ...)
if (check_usrfunction($username) == "admin"){
	echo "<a href='member_admin.php'>admin page</a>";
}

philosophology

I am guessing some of the problem is with this part :

        $_SESSION['valid_user'] = $username;
      }
}

if (isset($_SESSION['valid_user'])){
    $username = $_SESSION['valid_user'];

what do u think?