I am working on an application which contains two different portals (admin and members).
http://localhost/app/ is used for the members login and http://localhost/app/admin is used for admin's login.
When I log in into members and admins portal both works fine but if I logout from one portal another portal logged out automatically.
I checked that the session file created in /tmp/ directory stores the sessions information for both the portals in a single file which causes the above problem. The work around I think is to save the session information of both portals in different directories. I searched a lot for this but didn't get any resolution :(
Please help. Thanks in advance!
You can destroy session elements individually instead of just calling session_destroy();.
For example, use $_SESSION['logged_a'] for the admin and $_SESSION['logged_u'] for the user.
And then, depending on where you logout from, do unset($_SESSION['logged_a']) or unset($_SESSION['logged_u'])
I hope this helps! Good luck!
PHP sessions work on a per domain basis as they use cookies. If you want to have separate login systems for each directory your application will have to deal with that. A working approach would be to store the session id in a database along with a reference to which portals the session is logged in to. When a user logs out of one portal, rather than destroying the session, delete the record showing that the session is logged into that portal.
Related
I have many applications wrote in Codeigniter 3, every application had different session cookie name, one day I try to build a simple Single Sign On over with them by myself. In my thought I just create one application again to handle the gate for authentication of the users, I pulled users table from other application into that one. I try to logged in there by set session name for every application, but when I try to get session value in each of application is blank, i checked in browser cookie, I have the session name, is there I'm missing here? I don't fully understand how global $_SESSION variable works, thank you.
I've been working on an application that requires users to log-in to view their material. Each user has their own subdomain which is locked by it's own accounts database. (I've done it this way for a reason, It's similar to how a forum free-host would work).
My problem is that if a user logs in using their subdomain..
Example -- sub.domain.com
and then moved to
Example -- sub2.domain.com
Everything is fine, they will be required to login again to access sub2.
However, let's say a user goes here to login (The actual directory of the subdomain)
Example -- domain.com/sub/
And then moves to
Example -- domain.com/sub2/
They will still be logged in and have access to all of the users information in sub2
How can I go about setting this up so I wont run into this problem, if anyone is curious I use $_SESSION for this login system.
Based on the comment that GolezTrol provided, I came up with this solution. This solution may have it's problems and if it does I would like to be informed about them. What I did was gave each client it's own Private-Key. (This key is randomly generated when their website is created and stored locally on the clients server. Clients do not have access to the files so this can't be downloaded or modified). I then store the private key in the session, and check the private key that is in the users session versus the private key of the client they are trying to view, if they are not the same it brings the user to the login page and clears their session. (This will log them out of their own dashboard as-well, but I'm planning on making it so the session dies when they leave the page anyway)
The only way someone could edit their session data to get access to another client would be by having the clients private-key, and considering they can't get that without logging in, in the first place, I doubt we have a problem.
I have a two diff. project on my XAMPP say it is Project1 and Project2.
When i login with Project1, i check authentication and if it is successful then stored session. The session name is $_SESSION['username'].
The above process is same with Project2.
now,to prevent direct access,i use this code(in both project):
if($_SESSION['username']=="")
{
header("location:index.php");
}
so when i login with Project1, i am also access Project2(without login).
To prevent this, i know that if i create diff. session name for both project then it is solved.
The above thing is in my local server. so i can create diff. session name for my all project.
But suppose my site is online and what happen if my session name is match with diff. site?
There is a millions of websites and there is a possibility that my session name is match with another website's session name.Then this might be happen that some user access my website with another website(in same browser) and he might be access my site without login.
So what happen if session is same for two diff. website? Can user is access my website without login?
If yes then what should i do to prevent it?
Thanks in advance.
UPDATE
according to #Let me see's answer there is a possibility that if two sites are running on the same server then they may share the data.
So suppose the server is sharing then what should i do to prevent it?
Sessions are (usually) stored using cookies, and cookies are domain-specific. So, it doesn't matter if google.com or evilhackerdomain.ru uses the same session name as your app; your cookies are only readable/usable by the domains you specify. Even in the unusual scenario that sessions are managed in some other way, it will be domain-specific.
So suppose the server is sharing then what should I do to prevent it?
To answer your follow up question. You can simply name your session on a specific website using session_name() before your session_start().
session_name('PROJECT1');
session_start();
this one-liner should do it.
Normally the sessionID of the sessions is stored in a cookie and it is related to the hostname and it can be shared by the multiple hostnames having the same domain. and as it is obvious that sessions are stored on the server . So there is a possibility that if two sites are running on the same server then they may share the data..Therefore you should always change the path for storing the sessions on the server for every different website
PHP Sessions are stored in Server. So there won't be any clash between same session names when you go live. Remember, You still have option to store your session in database, which helps you with more secutiry.
Nothing will happen. Because the other Site uses its own database (with own session and user tables). It would only matter if two Sites share the same Database, same tables and same session handling.
User cannot access without log in because of following reasons,
The session data is stored on the server. If two applications are running on the same server and the same domain name, then the possibility is there for them to share session data. Otherwise no conflicts with session values, if the domains are different.
I think if we use a security algorithm like MD5 to encrypt the session which you'll using to login. That will work without problem. For example:
$name_session='username';
$name_session=md5(md5(md5($name_session));
$_SESSION[$name_session]="username_logged";
I am working on a site that has a login API. So when people login on my site, they will automatically be logged in to other sites.
Is their way by which a session can be setup so that other websites can use it? If not, is their any other solution?
One way - you can store your session values in database, and can use in other sites. :)
Example:-
let suppose if my site is deployed on multiple servers and end user might be redirected to different servers accordingly to traffic, then it would be good to save the session values in db.
Yes. It's possible using in example Redis for the session storage. You should look for configuring php sessions to use custom storage. Here is php man for this http://php.net/session.customhandler
What you want to do is probably using a cookie that is spread over your whole domain. This cookie can then be linked to a session. I'm currently working on something like this on Symfony2.
As example:
login.mydomain.com
application.mydomain.com
etc.mydomain.com
login.* will obviously contain my login logic + forms etc. This will also contain an API which the other applications can verify the cookie to. My Application will first check if the user is logged in. If not, it will check if it has the required cookie. If it does not, it will redirect to the login.* login page.
If it does have the cookie, it will validate this in my login.* API. Expired > redirect to the login page, if not it will return the required info of that user and "login" to my application.
The only problem I have at the moment is storing the session. I use mcrypt to encrypt the contents and store it in mysql (cookie_id, cookie_contents). I have but 1 problem, it doesn't automatically purge the expired sessions, I still have to find a solution for this.
What you are basically looking for is Single Sign-On (just a guess, but I think accurate).
I am fairly new to PHP programming and I think I might have some security issues with session variables.
I am currently working on a project which has 3 modules which require separate login credentials.
The 3 modules are for students, teachers and administration.
After the user logs in the respective portals, these credentials are stored as session variables. Let's say we have 2 tabs open in the browser, 1 has the student portal open and the other has the admin portal open. If the student logs in the first portal with user id 1 shortly after the admin has loged in with user id 2, then the userid for both the portal appears to be the same(userid 1). The problem is the session variables for both the portals are getting shared in the browser.
Sometimes session variables are also pulled from previous session in a new tab even after closing it.(*tested it using var_dump[$_SESSION]*)
Can somebody please explain to me how to limit the session variables to each portals or provide me with some hints about other ways of security handling in php?
PS: I have logout buttons which clears up the session variables. The problem seems to persist if the tab is closed or a new portal is opened in the new tab.
thanks in advance.
From a browser to a server only one PHP session will be started (apart from private browsing options, but that's off topic) and that is "shared" among all tabs. In contrast to what #fejese's answer suggests, you can solve your situation with using only one PHP session. Your problem probably is that you use the same session variable to indicate that someone is logged in regardless of the access level of that logged in user.
As your 3 separate modules handle authentication, create 3 different session variables that indicate which user is logged in. For e.g. when a student logs in, craete $_SESSION['auth_student_id'] and assign the logged user (student) ID to it. When a teacher logs in, create $_SESSION['auth_teacher_id'], and so forth.
Then, depending on which portal is loaded, ignore the other session variables. So if in tab 1 the student portal is loaded, check for $_SESSION['auth_student_id'] and ignore the others. If that is set, you know the portal should show protected content because the user (student) has authenticated themselves. If in tab 2 the teacher portal loaded do the same with $_SESSION['auth_teacher_id'] and ignore the other 2.
You have some options:
Change "session_name" on a portal basis
If you change the session name, the cookies that identify the session will be different from portal to portal. Note that no session will be shared this way. If the user logged to a portal, he'll need to log again to the others.
Implement session namespaces
You could set an array in the main $_SESSION object, one for each submodule, and use each array as if you are using the session directly. With this approach you can share the sessions (easily implementing SSO between the portals), but raises some security concerns. It's valuable to implement an API to access the session if you go this way.