|
Problem using $_SESSION
Hi,
I have been trying to use $_SESSION when a user successfully login to a website (eg. abc.com), but I am not sure why when I login another website(eg. zzz.com) simutanuously, it capture zzz.com details and show in abc.com. Steps to reproduce: 1. Login to abc.com 2. Upon successful login, in home.php, i echo the $_SESSION["number"] . It correctly shows the staff's number (eg. E123). --------------------------------- login.php ------------------------------------- session_start(); $login=mysql_query("SELECT * FROM staff WHERE (username = '" . mysql_real_escape_string($_POST['username']) . "') and (password = '" . mysql_real_escape_string(md5($_POST['password'])) . "')"); $row=mysql_fetch_array($login); if (mysql_num_rows($login)==1){ $_SESSION["login"]=true; $_SESSION["number"]=$row['number']; header('Location: home.php'); } ------------------------------------------ ------------------------------------------- home.php -------------------------------------- <?php session_start(); if(!$_SESSION["login"]){ header('Location: index.php'); } echo $_SESSION['number']; ?> ------------------------------------- 3. However, if i login to another website (eg. zzz.com) using username: E999 and I go back abc.com, the $_SESSION['number'] change from E123 to E999. Both abc.com and zzz.com are using different database, why the $_SESSION['number'] in abc.com is capturing the info from other website? Can anyone kindly advise on this? Thanks. |
Are you visiting zzz.com in thesame browser or browser session? In that case the session details will simply be overwritten, if zzz.com uses thesame session-variable ($_SESSION['number']) as abc.com.
Someone please correct me if I'm wrong, but is this solvable by storing your sessions in a local database and pulling the information from there? I've never worked with this before, so can't elaborate on the exact workings. |
It shouldn't make any difference Thyrosis. The session cookie should be domain specific. The browser should recognise the difference between abc.com and zzz.com and only send the cookies related to each domain.
To be honest, I don't think there is anything wrong with the code that I can see. I think there might be something else going on with the browser or the configuration. |
Not necessarily, there is one other potential cause non-related to cookies.
Are you sure you are using cookies for your sessions? Are you passing a querystring in any fashion that would allow the second domain (this is a domain right? Not a subdomain which is a completely different problem) which if hosted on the same server could read the same session file? The only time websitea.com and websiteb.com can actually change data in each other's sessions is if they are on the same server AND phpsessid is passed through the querystring to the other server. You can try changing the save path locally by setting session_save_path to a new location prior to calling session_start. |
Hi,
Actually, as what I suspect, it might be because both website is in the same host (testing) and the session variable (number) is the same. my 1st website: http://testing/abc/login.php $_SESSION['number'] my 2nd website: http://testing/zzz/login.php $_SESSION['number'] There is one way where I can change all the session variables to different name but it would be a problem if I have alot of web application. Can anyone please kindly advise if there is any code where the session variable will not inter-link from different web application even though they are in the same host/same session variable name. Thanks in advance for the help. |
Hi,
Thanks for the advice. I have found out 1 solution where i can use a unique session_name in different site in the same host. config.php: <?php session_name('test'); session_start(); ?> at the beginning of each file: <?php include 'config.php'; ?> |
The other alternative(s) which I would recommend over the session_name is changing the session's save path (do it in a global file used prior to anything else), and using a database instead. Both of these eliminate the possibility of conflict, assuming they are both configured differently.
Lately I've learned more about the sessions when using the save handler. Its definitely easier to use than my old manual db sessions and a lot less code overall, but I had to write the encoder and decoders for the serialized data since PHP doesn't really have a built in way of doing it (and I don't pull from the session superglobal itself). So that did take a bit of work. If you don't need to split up the data, than that won't be necessary, just a blob type would do. |
Quote:
I still think there is something else here that is playing up. |
Quote:
Given the one post here though, I question if we are actually looking at separate domains. There is indication that its simply under /abc/ and /zzz/, in which case session cookies can be modified to only adhere to the directory level in which they were set. That can be done via an ini set as well with the session.cookie_path and changing it to /specificdir prior to calling session_start(). That should work. |
Quote:
|
| All times are GMT +1. The time now is 12:39 AM. |
Powered by vBulletin®
Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.