[RESOLVED] $_SESSION[]'s vs Browser Tabs

jeepin81

So, this is probably a very general question that can probably become complex...

I have login page with multiple users that have access. Once they login I create some $_SESSION[]'s w/ static names. For example:

$_SESSION['user'] = $user;
$_SESSION['userNo'] = $userNo;
$_SESSION['ticket'] = $ticket;
//etc..

Today I had person testing and using different user accounts. Though, instead of using the log out that unset()'s those static sessions they were just opening a new tab in the browser. So, those $_SESSION[]'s were holding original data from their first test.

Doing some searching I saw setting a unique token and adding that to the URL & DB and making sure those match while the user navigates. If the URL & DB token don't match log that user out. Seems like a pretty straight forward solution.

Are there some other common practices you could point me towards or other concepts I should consider with this type of user system.

I apologize this is so open ended and appreciate any feedback.

NogDog

Well...my first thought is to not add something like that for the sole purpose of helping the tester. I'd recommend the tester instead do something like using Firefox and then selecting "File -> New Private Window" for each different user/login s/he wants to test.

Derokorian

NogDog;11052279 wrote:
Well...my first thought is to not add something like that for the sole purpose of helping the tester. I'd recommend the tester instead do something like using Firefox and then selecting "File -> New Private Window" for each different user/login s/he wants to test.

Or similarly, Chrome's incognito window (ctrl+shift+n on windows and linux)

dalecosp

jeepin81;11052271 wrote:
So, this is probably a very general question that can probably become complex...

I have login page with multiple users that have access. Once they login I create some $_SESSION[]'s w/ static names. For example:
$_SESSION['user'] = $user;
$_SESSION['userNo'] = $userNo;
$_SESSION['ticket'] = $ticket;
//etc..
Today I had person testing and using different user accounts. Though, instead of using the log out that unset()'s those static sessions they were just opening a new tab in the browser. So, those $_SESSION[]'s were holding original data from their first test.

Doing some searching I saw setting a unique token and adding that to the URL & DB and making sure those match while the user navigates. If the URL & DB token don't match log that user out. Seems like a pretty straight forward solution.

Are there some other common practices you could point me towards or other concepts I should consider with this type of user system.

I apologize this is so open ended and appreciate any feedback.

I suppose you could base64encode all the session data, the page content, and everything else, stick that in a hidden input on the page, make the whole page a <form> with action set to itself, and then ... wait a minute, someone already tried that, and it sucks.

I'm probably not much help on this. Anyone suppose this is more, or less, related to all those sites that are now using JS to append an anchor label to any link you copy from their page?

jeepin81

Thanks for the responses. We ended up just having the user actually log out and then re login with the next account they were testing.

dalecosp;11052283 wrote:
I'm probably not much help on this. Anyone suppose this is more, or less, related to all those sites that are now using JS to append an anchor label to any link you copy from their page?

I'm not sure what that means? :bemused:

dalecosp

It's a little off-topic. One of the things we do in my company is content curation. There are several "news sites" (I'll see if I can find one) that have some JavaScript in them that, when you copy text or a link from the page, what you actually get has a unique string appended:

This is a quote from a news story on one of those sites.  

Read more about this story at oneofthosesites.com/path/to/name/of/story.html#4kici3l3k30UNIQ

Or a copied link:

http://oneofthosesites.com/path/to/name/of/story.html#4kici3l3k30UNIQ

I'm pretty sure it's all about tracking; one of the services that these folks use is tynt.com.

cretaceous

FWIW: when I need mulitple simultaneous access levels I put them in different session arrays
e.g.
$SESSION['topuser']['user'] = $user;
$SESSION['topuser']['userNo'] = $userNo;

and
$SESSION['baseuser']['user'] = $user;
$SESSION['baseuser']['userNo'] = $userNo;

I've not needed more than two levels on a daily basis