Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 10 of 10
  1. #1
    New Coder
    Join Date
    Dec 2012
    Posts
    22
    Thanks
    1
    Thanked 0 Times in 0 Posts

    Problem using $_SESSION

    Hi,

    I have been trying to use $_SESSION when a user successfully login to a website (eg. abc.com), but I am not sure why when I login another website(eg. zzz.com) simutanuously, it capture zzz.com details and show in abc.com.

    Steps to reproduce:

    1. Login to abc.com

    2. Upon successful login, in home.php, i echo the $_SESSION["number"] . It correctly shows the staff's number (eg. E123).

    ---------------------------------
    login.php
    -------------------------------------

    session_start();

    $login=mysql_query("SELECT * FROM staff WHERE (username = '" . mysql_real_escape_string($_POST['username']) . "') and (password = '" . mysql_real_escape_string(md5($_POST['password'])) . "')");
    $row=mysql_fetch_array($login);

    if (mysql_num_rows($login)==1){

    $_SESSION["login"]=true;

    $_SESSION["number"]=$row['number'];

    header('Location: home.php');

    }
    ------------------------------------------

    -------------------------------------------
    home.php
    --------------------------------------

    <?php
    session_start();
    if(!$_SESSION["login"]){
    header('Location: index.php');
    }

    echo $_SESSION['number'];

    ?>
    -------------------------------------

    3. However, if i login to another website (eg. zzz.com) using username: E999 and I go back abc.com, the $_SESSION['number'] change from E123 to E999.

    Both abc.com and zzz.com are using different database, why the $_SESSION['number'] in abc.com is capturing the info from other website?

    Can anyone kindly advise on this? Thanks.

  • #2
    Regular Coder
    Join Date
    Nov 2012
    Posts
    115
    Thanks
    7
    Thanked 12 Times in 12 Posts
    Are you visiting zzz.com in thesame browser or browser session? In that case the session details will simply be overwritten, if zzz.com uses thesame session-variable ($_SESSION['number']) as abc.com.

    Someone please correct me if I'm wrong, but is this solvable by storing your sessions in a local database and pulling the information from there? I've never worked with this before, so can't elaborate on the exact workings.

  • #3
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,283
    Thanks
    57
    Thanked 523 Times in 510 Posts
    Blog Entries
    5
    It shouldn't make any difference Thyrosis. The session cookie should be domain specific. The browser should recognise the difference between abc.com and zzz.com and only send the cookies related to each domain.

    To be honest, I don't think there is anything wrong with the code that I can see. I think there might be something else going on with the browser or the configuration.
    See my new CodingForums Blog: http://www.codingforums.com/blogs/tangoforce/

    Many useful explanations and tips including: Cannot modify headers - already sent, The IE if (isset($_POST['submit'])) bug explained, unexpected T_CONSTANT_ENCAPSED_STRING, debugging tips and much more!

  • #4
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,987
    Thanks
    4
    Thanked 2,660 Times in 2,629 Posts
    Not necessarily, there is one other potential cause non-related to cookies.
    Are you sure you are using cookies for your sessions? Are you passing a querystring in any fashion that would allow the second domain (this is a domain right? Not a subdomain which is a completely different problem) which if hosted on the same server could read the same session file?
    The only time websitea.com and websiteb.com can actually change data in each other's sessions is if they are on the same server AND phpsessid is passed through the querystring to the other server. You can try changing the save path locally by setting session_save_path to a new location prior to calling session_start.

  • #5
    New Coder
    Join Date
    Dec 2012
    Posts
    22
    Thanks
    1
    Thanked 0 Times in 0 Posts
    Hi,

    Actually, as what I suspect, it might be because both website is in the same host (testing) and the session variable (number) is the same.

    my 1st website:
    http://testing/abc/login.php
    $_SESSION['number']

    my 2nd website:
    http://testing/zzz/login.php
    $_SESSION['number']

    There is one way where I can change all the session variables to different name but it would be a problem if I have alot of web application.

    Can anyone please kindly advise if there is any code where the session variable will not inter-link from different web application even though they are in the same host/same session variable name.

    Thanks in advance for the help.

  • #6
    New Coder
    Join Date
    Dec 2012
    Posts
    22
    Thanks
    1
    Thanked 0 Times in 0 Posts
    Hi,

    Thanks for the advice.

    I have found out 1 solution where i can use a unique session_name in different site in the same host.

    config.php:
    <?php
    session_name('test');
    session_start();
    ?>

    at the beginning of each file:
    <?php
    include 'config.php';
    ?>

  • #7
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,987
    Thanks
    4
    Thanked 2,660 Times in 2,629 Posts
    The other alternative(s) which I would recommend over the session_name is changing the session's save path (do it in a global file used prior to anything else), and using a database instead. Both of these eliminate the possibility of conflict, assuming they are both configured differently.
    Lately I've learned more about the sessions when using the save handler. Its definitely easier to use than my old manual db sessions and a lot less code overall, but I had to write the encoder and decoders for the serialized data since PHP doesn't really have a built in way of doing it (and I don't pull from the session superglobal itself). So that did take a bit of work. If you don't need to split up the data, than that won't be necessary, just a blob type would do.

  • #8
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,283
    Thanks
    57
    Thanked 523 Times in 510 Posts
    Blog Entries
    5
    Quote Originally Posted by holy24 View Post
    I have found out 1 solution where i can use a unique session_name in different site in the same host.
    That shouldn't really have affected it though in the first place. When you call session_start, it should generate it's own random identifier and (assuming you're using the default cookies to store it) should only be used on a per-domain basis.

    I still think there is something else here that is playing up.
    See my new CodingForums Blog: http://www.codingforums.com/blogs/tangoforce/

    Many useful explanations and tips including: Cannot modify headers - already sent, The IE if (isset($_POST['submit'])) bug explained, unexpected T_CONSTANT_ENCAPSED_STRING, debugging tips and much more!

  • #9
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,987
    Thanks
    4
    Thanked 2,660 Times in 2,629 Posts
    Quote Originally Posted by tangoforce View Post
    I still think there is something else here that is playing up.
    Yep, there sure is. If its actually going across domains, the only way to pass the sid is via the querystring. So if you check the HTML links you may find that the sid is being passed across domains which should be fixed immediately.
    Given the one post here though, I question if we are actually looking at separate domains. There is indication that its simply under /abc/ and /zzz/, in which case session cookies can be modified to only adhere to the directory level in which they were set. That can be done via an ini set as well with the session.cookie_path and changing it to /specificdir prior to calling session_start(). That should work.

  • #10
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,283
    Thanks
    57
    Thanked 523 Times in 510 Posts
    Blog Entries
    5
    Quote Originally Posted by Fou-Lu View Post
    There is indication that its simply under /abc/ and /zzz/
    You know something Fou, I think you may well be right. Thinking about it, many registrars offer domain forwarding via frames so you can point it straight at a url instead of tinkering with DNS which many folks don't understand how to use. That would certainly explain the same sessions being used with two different domains using the same domain as the main host.
    See my new CodingForums Blog: http://www.codingforums.com/blogs/tangoforce/

    Many useful explanations and tips including: Cannot modify headers - already sent, The IE if (isset($_POST['submit'])) bug explained, unexpected T_CONSTANT_ENCAPSED_STRING, debugging tips and much more!


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •