I have many applications wrote in Codeigniter 3, every application had different session cookie name, one day I try to build a simple Single Sign On over with them by myself. In my thought I just create one application again to handle the gate for authentication of the users, I pulled users table from other application into that one. I try to logged in there by set session name for every application, but when I try to get session value in each of application is blank, i checked in browser cookie, I have the session name, is there I'm missing here? I don't fully understand how global $_SESSION variable works, thank you.
Related
I have a small situation here but I wanted to try and be sure I was approaching this in a correct way.
I have a web application that is used by several shops.
Each shop is authenticated through htaccess and htpasswd in order to connect to the correct database.
This portion works great!
Each shop has multiple employees but each employee uses a separate computer/workstation.
So it goes Shop logs in, gets authenticated, connects to proper database and then loads a login page.
At the login page the user logs into the application using name and password, and they are good to go.
At this point I am loading user information (UserID, Security Level, etc) into the session.
Part of my problem is trash collection as every once in awhile the session variables are getting lost.
Every page has session start as the first thing so I imagine after an hour or so of inactivity the session is getting collected by the trash collector and poof, it is gone.
I am toying with the idea of loading the user information into the $GLOBALS supervariable to avoid losing the session due to inactivity.
Now, I realize that there are ways to delay/stop the trash collector in PHP but it seems to me if I use the global scope it removes the need for extra coding or configuring of PHP.
Am I correct in assuming that as long as each user is on their own machine accessing the site that using the $GLOBALS will only apply to each user?
Think you have a general misconception of session and global variables.
Global variables are the variables which remain common for the whole
application… Their value can be used across the whole application
whereas Session variables are variables which remain common for the
whole application but for one particular user. They also can be used
across the whole application… But they die when a particular user
session ends.
https://stackoverflow.com/a/14848246/1022914
I recommend using sessions though. Check the user details against user data stored in a database. If it passes authentication, create session variables with user data to be used across your pages. This makes thing a whole lot easier
You can use cache . It can help u to keep user logged in always , as facebook .
My Laravel PHP application stores various user interface states using Session::put().
I was surprised to discover that session variables seem to be retained between different users who log in sequentially on one PC. For example:
log in as user1, set some UI options, log out
log in as user2, expect to see default UI options, actually see user1's options
I've tried with native and database session drivers.
Why are session variables retained between different users on the same PC? Wouldn't this be regarded a security defect? Is this a Laravel or general PHP issue, or my implementation? What's the correct solution?
Why are session variables retained between different users on the same PC?
Presumably because they are logging out of your application, but not the user environment for the OS and are not closing the browser either.
Wouldn't this be regarded a security defect?
It is more a case of bad security practices on the part of the end users.
Is this a Laravel or general PHP issue, or my implementation? What's the correct solution?
Clear the session data when the user logs out.
Why are session variables retained between different users on the same
PC?
You are mistaking "sessions" and "auth". They are not the same thing.
You can have a "session" without being logged into Laravel (or most web applications).
When you log in to an application, that is simply added onto your current session. But when you logout of the application your current session continues, just without the auth bit.
What's the correct solution?
If you want to clear the session of all data - you must flush it:
Auth::logout();
Session::flush();
(note - the comment suggestion above to use Session::regenerate() is incorrect - that will only regenerate the session ID - not the data - it will remain)
I am fairly new to PHP programming and I think I might have some security issues with session variables.
I am currently working on a project which has 3 modules which require separate login credentials.
The 3 modules are for students, teachers and administration.
After the user logs in the respective portals, these credentials are stored as session variables. Let's say we have 2 tabs open in the browser, 1 has the student portal open and the other has the admin portal open. If the student logs in the first portal with user id 1 shortly after the admin has loged in with user id 2, then the userid for both the portal appears to be the same(userid 1). The problem is the session variables for both the portals are getting shared in the browser.
Sometimes session variables are also pulled from previous session in a new tab even after closing it.(*tested it using var_dump[$_SESSION]*)
Can somebody please explain to me how to limit the session variables to each portals or provide me with some hints about other ways of security handling in php?
PS: I have logout buttons which clears up the session variables. The problem seems to persist if the tab is closed or a new portal is opened in the new tab.
thanks in advance.
From a browser to a server only one PHP session will be started (apart from private browsing options, but that's off topic) and that is "shared" among all tabs. In contrast to what #fejese's answer suggests, you can solve your situation with using only one PHP session. Your problem probably is that you use the same session variable to indicate that someone is logged in regardless of the access level of that logged in user.
As your 3 separate modules handle authentication, create 3 different session variables that indicate which user is logged in. For e.g. when a student logs in, craete $_SESSION['auth_student_id'] and assign the logged user (student) ID to it. When a teacher logs in, create $_SESSION['auth_teacher_id'], and so forth.
Then, depending on which portal is loaded, ignore the other session variables. So if in tab 1 the student portal is loaded, check for $_SESSION['auth_student_id'] and ignore the others. If that is set, you know the portal should show protected content because the user (student) has authenticated themselves. If in tab 2 the teacher portal loaded do the same with $_SESSION['auth_teacher_id'] and ignore the other 2.
You have some options:
Change "session_name" on a portal basis
If you change the session name, the cookies that identify the session will be different from portal to portal. Note that no session will be shared this way. If the user logged to a portal, he'll need to log again to the others.
Implement session namespaces
You could set an array in the main $_SESSION object, one for each submodule, and use each array as if you are using the session directly. With this approach you can share the sessions (easily implementing SSO between the portals), but raises some security concerns. It's valuable to implement an API to access the session if you go this way.
how do I use the same web session that was created in one web app to another web app? In order words, if I login to site1.php, how do I automatically get logged in (without having to fill a form or anything) to site2.php using the same credentials that I used to login on site1.php?
Any help please
Your users propably get a cookie with their session id set If not, do so. Both sides would have to use the same session backend to be able to get the session for the given id (from cookie). To share sessions between websites both sites need to use the same session handler. For example in a database.
http://www.devshed.com/c/a/PHP/Storing-PHP-Sessions-in-a-Database/
I've seen a few instances now where web applications are letting try them out without you having to sign-up (though to save you need to of course).
example: try at http://minutedock.com/
I'm wondering about doing this for my own web app and the fundamental question is whether to store their info into sessions or into a temp user table?
The temp user table would allow logging and potentially be less of a hit on the server, correct?
Is there a best practice here?
It should work exactly the same way the application usually works, with the only difference being that a flag like thisIsATrialUser is set. You shouldn't create two different ways to do things internally.
Create a class of user, lets call it your Anonymous User Type. Give all unauthenticated users anonymous accounts (you have to clean up old accounts at some point). Use a persistent cookie to associate old users with their anonymous account. Make them authenticate themselves whenever they need to perform something that requires payment or full registration. Change their user type to something like Regular User Type once they are authenticated so you can keep all the information that was already attached to them when they where anonymous.
This allows tracking and storing of potential information like shopping carts without requiring registration upfront. Your code shouldn't have to change much if you treat anonymous user similarly to regular users. Otherwise you have to create an entirely new set of code to manage special users that are not stored in your master user table.
To clean up the data added by trial users, you can create a script to delete all the data that was created lifetime of cookie + 1 day and owned by any trial user. You can auto-pilot the script with nightly cron.