I am new to PHP, but I created a website with a login, register, and personalized homepage for different users.
I have three users and three tabs in my web browser with the sessions open. Sometimes, if I click on go back to home in say user1, the button would return me to user2's home page.
What do you think it is wrong?
Thank you.
It sounds like you are trying to simulate all three users yourself, just using tabs in your browser. Then you are going to have collisions -- whatever tab was loaded last will set a session cookie, overwriting the other tabs' cookies. All tabs will then be effectively using that last tab's session.
Try testing it with two different browsers -- you'll see they don't conflict, because the browsers don't share their cookies.
Related
I'm a new bee in codeigniter. I have done a web based application. Login and log out works fine. But the issue is when two users try to login in same browser, the first user is getting logout and he is getting 2nd users page and stuffs. I don't know where I did wrong. Is there any way to prevent multiple users to login in same browser?
That's just how it works ...
Neither your application, nor the browser (by default) can make a difference between two actual users. The same browser means the same user - it's that simple.
How can I realize a parallel session with PHP? I intend to login in as admin and now I can see a list of normal users. The admin user should be able to log in as a normal user in a new browser tab by clicking a user.
I tried to give sessions a unique name and id but this still haven't work.
Session cookies are stored in the browser for the whole browser session, so you can't separate them between windows.
Either you write your own session handler code, that does not use cookies, but appends something like '&sessionid=BLARGROB' to every link, or just install two browsers on you machine. Use Internet explorer for your user session and Firefox for your admin session, and Chrome for whatever else you'd like to do on your site without invalidating the other sessions. Using several browsers is a good idea to test your layout anyway.
I have one user portal account. I'm logging into it with two different usernames in two different tabs.
When I do a hard refresh (ctl+f5) in both tabs of the same user account, it opens in both tabs. That can be any username from those two. What can I do to fix this problem?
Session's mechanism uses COOKIEs. COOKIEs are shared between tabs.
If you what to login with one browser session by two differnet users you can disable storing session id in cookie: PHP session without cookies.
Also you can use feature of browsers. FireFox's Private browsing for example.
PHP's sessions. Basic usage.
PHP's sessions. Passing the Session ID.
You cant login on same website on same browser with two different user. Better you use two different browsers.
One option would be to avoid session cookies. Add the PHPSESSID variable to the query string, or have it in the path and use URL rewriting or PATH_INFO to translate /x/y.php/925235a... etc to /x/y.php?PHPSESSID=925235a.... You can actually tell PHP to do the first for you.
Note, in order for this to work, you'll need to say something like
ini_set('session.use_cookies', false);
or the like, in your script before calling session_start(). Then PHP won't send session cookies; in most cases it will just transparently rewrite URLs in your page to include the session ID, so you get the first option for free.
The biggest drawback to this approach is that it makes your users vulnerable to an attack called "session fixation". If i hand you a URL that already has a session ID, and you click it and log in to the site, you've logged in my session for me and i can now visit the site as you. One way around that is to switch to a new session when someone logs in...but if your app is a shopping cart, it can be annoying making people log in to buy something.
Second biggest: If a user follows a link that doesn't have a session ID, PHP won't recognize them. (The user can use the "Back" button to get back to a point where they have a session ID, but that sucks usabilitywise.) You have to ensure that the session ID appears in every link or URL. Fortunately, PHP will rewrite most of them for you, but any links you generate with JS and such, you'll have to do yourself.
Users log in, and a session variable is created from their username. The menus on the site are determined by the users status - admins see an admin menu, coaches see a coaches menu, etc. All that works fine.
Things break down when I need to use the $_SESSION['value'] thing again to pass something from one page to another. For example, a coach will log in and see a list if his games that he has created. To edit the games, he selects one game,a variable is then passed to the next page where he can edit the details of the game he selected on the previous page. the minute the form is submitted on the first page (when he selects the game), its like my session is broken, and I lose all the menus etc.
Other forms on the site that simply add things to the database (users, games, etc) that do not need $_SESSION to pass anything work fine.
Is there something obvious I am overlooking? Is there another method of passing info from one page to another that wont break my session?
This sounds like the so often...
"oh shit, I forgot to call session_start (); before using $_SESSION"
But there are of course many other things that might cause this kinda headache.
check to see that the page your form submits to uses the same (or lower down) sub-domain (if your site uses www everywhere but not there, the cookie holding the session info won't be doing it's job).
check to see that you aren't using https on some parts of your site and http on others
make sure that the TTL (experiation) of the session cookie is long enough so that the user has time to do the edit (this normally isn't a problem, I have yet to come across it with a default configuration)
make sure you have session_start() on all your pages; including the one your form is submitting to
I am trying to write a php page that will load several different websites in different iframes. Several of those sites will need the user to login. What I need to do is basically allow the user to only type in the username and password once and then populate all the other forms (that are basically using the same user-pass pair for logging in)
Now i know that since those are external sites you don't have access to the DOM and XSS is not allowed and all, but i was wondering if theres actually any other way to achieve that.
Somebody actually suggested me to simulate keypresses and have a javascript that will basically go from field to field and essentially type in the username and pass but after doing some research I dont think thats possible since you can only simulate the event and not the actual keypress so...any other suggestions?
NOTE: I have also checked this but agreeing with the other sites/domains is not an option in my case!
Thanks -- Mike
that depends.
if those sites share a domain (the parent window and iframes), then it's possible for the top window to communicate with the child iframes. AJAX prevents cross domain (that includes inter subdomains) but iframes can communicate as long as they belong to the same top domain.
see https://stackoverflow.com/a/9338955/575527 and https://stackoverflow.com/a/9676156/575527
a better approach is to have a "top domain cookie" where that cookie is visible in all those iframes (assuming they are of the same top domain). login once using a single login page, then subsequent requests in the pages will need to check the cookie vs the session if that user is logged in.
or if those pages have different domains but access the same database, then one can just then pass the session id as a url parameter to the iframes rather than as cookies. then the website in the iframes will parse the session id and check in the database if those sessions are valid, are current, and are logged in.
all of which need additional CSRF and XSS checking as session IDs are in the open.
You cannot do what you describe in JavaScript.
However, depending on what you need to do with the data/websites once the user is logged in, you may be able to use a remote POST to simulate that behavior. See this question for more info.