I mean you can login both https://mail.google.com/ and https://mail.google.com/a/company.com at the same time.
The projects I've attended so far haven't involved such kind of logic,how can these two url under the same domain use different $_SESSION?
I think there is not inbuilt session management feature in PHP.
You can use variable specific management in session.
for eg.
one login from https://mail.google.com/ then store all it's session data in $_SESSION['gmail'][X] , $_SESSION['gmail'][Y],$_SESSION['gmail'][Z]
and then in when another user login from https://mail.google.cpm/a/company.com then store all it's session data in $_SESSION['company'][X],$_SESSION['company'][Y],$_SESSION['company'][Z]
so by this, you can separate those two sessions from each other.
Those two URLs share the same domain. Only the subfolders are different. Usually with PHP, the cookie which saves the session id is valid for the whole domain and not only a specific subfolder. So there should be no problem using the session data with the same domain.
Maulik Vora's answer will work, but another way to do it is to configure PHP to used URL-based session ID passing. That way every tab or window has a separate session. See this page for information on how to do it, and why you may or may not want to. Here's the docs for it.
Related
I'm doing some basic integration between a CakePHP app and some external code. I want the external code to know if a user is logged in. The external code does not load CakePHP, so thought I would access that data directly using $_SESSION, but when I dump it it's an empty array, even when I'm logged into CakePHP.
Am I missing something? Why isn't the session data from CakePHP showing up?
You might need to play with your session ids and session name variables to get your external code to load the CakePHP session information.
For example, you will almost certainly need this:
session_name('CAKEPHP');
and you might need to pass across the session id from Cake, and possibly set the session save path as well.
You can read http://bakery.cakephp.org/articles/admad/2009/09/02/how-to-bend-cakephp-s-session-handling-to-your-needs
It will examplain you how to bend your cakephp session according to your need.
OR
You can see one more link which will solve your problem Use cakephp session with two different domains
Hope these two links will solve your problem!
I have a two diff. project on my XAMPP say it is Project1 and Project2.
When i login with Project1, i check authentication and if it is successful then stored session. The session name is $_SESSION['username'].
The above process is same with Project2.
now,to prevent direct access,i use this code(in both project):
if($_SESSION['username']=="")
{
header("location:index.php");
}
so when i login with Project1, i am also access Project2(without login).
To prevent this, i know that if i create diff. session name for both project then it is solved.
The above thing is in my local server. so i can create diff. session name for my all project.
But suppose my site is online and what happen if my session name is match with diff. site?
There is a millions of websites and there is a possibility that my session name is match with another website's session name.Then this might be happen that some user access my website with another website(in same browser) and he might be access my site without login.
So what happen if session is same for two diff. website? Can user is access my website without login?
If yes then what should i do to prevent it?
Thanks in advance.
UPDATE
according to #Let me see's answer there is a possibility that if two sites are running on the same server then they may share the data.
So suppose the server is sharing then what should i do to prevent it?
Sessions are (usually) stored using cookies, and cookies are domain-specific. So, it doesn't matter if google.com or evilhackerdomain.ru uses the same session name as your app; your cookies are only readable/usable by the domains you specify. Even in the unusual scenario that sessions are managed in some other way, it will be domain-specific.
So suppose the server is sharing then what should I do to prevent it?
To answer your follow up question. You can simply name your session on a specific website using session_name() before your session_start().
session_name('PROJECT1');
session_start();
this one-liner should do it.
Normally the sessionID of the sessions is stored in a cookie and it is related to the hostname and it can be shared by the multiple hostnames having the same domain. and as it is obvious that sessions are stored on the server . So there is a possibility that if two sites are running on the same server then they may share the data..Therefore you should always change the path for storing the sessions on the server for every different website
PHP Sessions are stored in Server. So there won't be any clash between same session names when you go live. Remember, You still have option to store your session in database, which helps you with more secutiry.
Nothing will happen. Because the other Site uses its own database (with own session and user tables). It would only matter if two Sites share the same Database, same tables and same session handling.
User cannot access without log in because of following reasons,
The session data is stored on the server. If two applications are running on the same server and the same domain name, then the possibility is there for them to share session data. Otherwise no conflicts with session values, if the domains are different.
I think if we use a security algorithm like MD5 to encrypt the session which you'll using to login. That will work without problem. For example:
$name_session='username';
$name_session=md5(md5(md5($name_session));
$_SESSION[$name_session]="username_logged";
I am working on a site that has a login API. So when people login on my site, they will automatically be logged in to other sites.
Is their way by which a session can be setup so that other websites can use it? If not, is their any other solution?
One way - you can store your session values in database, and can use in other sites. :)
Example:-
let suppose if my site is deployed on multiple servers and end user might be redirected to different servers accordingly to traffic, then it would be good to save the session values in db.
Yes. It's possible using in example Redis for the session storage. You should look for configuring php sessions to use custom storage. Here is php man for this http://php.net/session.customhandler
What you want to do is probably using a cookie that is spread over your whole domain. This cookie can then be linked to a session. I'm currently working on something like this on Symfony2.
As example:
login.mydomain.com
application.mydomain.com
etc.mydomain.com
login.* will obviously contain my login logic + forms etc. This will also contain an API which the other applications can verify the cookie to. My Application will first check if the user is logged in. If not, it will check if it has the required cookie. If it does not, it will redirect to the login.* login page.
If it does have the cookie, it will validate this in my login.* API. Expired > redirect to the login page, if not it will return the required info of that user and "login" to my application.
The only problem I have at the moment is storing the session. I use mcrypt to encrypt the contents and store it in mysql (cookie_id, cookie_contents). I have but 1 problem, it doesn't automatically purge the expired sessions, I still have to find a solution for this.
What you are basically looking for is Single Sign-On (just a guess, but I think accurate).
I have one user portal account. I'm logging into it with two different usernames in two different tabs.
When I do a hard refresh (ctl+f5) in both tabs of the same user account, it opens in both tabs. That can be any username from those two. What can I do to fix this problem?
Session's mechanism uses COOKIEs. COOKIEs are shared between tabs.
If you what to login with one browser session by two differnet users you can disable storing session id in cookie: PHP session without cookies.
Also you can use feature of browsers. FireFox's Private browsing for example.
PHP's sessions. Basic usage.
PHP's sessions. Passing the Session ID.
You cant login on same website on same browser with two different user. Better you use two different browsers.
One option would be to avoid session cookies. Add the PHPSESSID variable to the query string, or have it in the path and use URL rewriting or PATH_INFO to translate /x/y.php/925235a... etc to /x/y.php?PHPSESSID=925235a.... You can actually tell PHP to do the first for you.
Note, in order for this to work, you'll need to say something like
ini_set('session.use_cookies', false);
or the like, in your script before calling session_start(). Then PHP won't send session cookies; in most cases it will just transparently rewrite URLs in your page to include the session ID, so you get the first option for free.
The biggest drawback to this approach is that it makes your users vulnerable to an attack called "session fixation". If i hand you a URL that already has a session ID, and you click it and log in to the site, you've logged in my session for me and i can now visit the site as you. One way around that is to switch to a new session when someone logs in...but if your app is a shopping cart, it can be annoying making people log in to buy something.
Second biggest: If a user follows a link that doesn't have a session ID, PHP won't recognize them. (The user can use the "Back" button to get back to a point where they have a session ID, but that sucks usabilitywise.) You have to ensure that the session ID appears in every link or URL. Fortunately, PHP will rewrite most of them for you, but any links you generate with JS and such, you'll have to do yourself.
I do a lot of php and javascript, but I think this is relatively language-agnostic question. Are there any best-practices for when to use each of:
URL variables
SESSION variables
cookies
I understand the inherent limitations of what some of them can't do, but it seems like their use can overlap sometimes, too, and those instances are what I'm really asking about.
EDIT
Just to clarify: I'm pretty familiar with the technicalities of which method is stored where, and which the client/server can access. What I am looking for is something a little higher-level, like "temporary user settings should live in cookies, data state info should live on the server, etc..."
Thanks!
In general:
Use URL (GET) parameters for sending simple request parameters to the server, eg. a search query or the page number in a product listing.
Use session variables, as the name indicates, to store temporary data associated with a specific user session, eg. a logged-in user's ID or a non-persistent shopping cart.
Avoid using cookies when possible. Use them sparingly to store settings that are tied to a particular computer / user profile, eg. a setting such as "remember my user ID on this computer".
Sessions are stored on the server, which means clients do not have access to the information you store about them. Session data, being stored on your server, does not need to be transmitted in full with each page; clients just need to send an ID and the data is loaded from the server.
On the other hand, Cookies are stored on the client. They can be made durable for a long time and would allow you to work more smoothly when you have a cluster of web servers. However unlike Sessions, data stored in Cookies is transmitted in full with each page request. You should use cookie if you need longer logged-in sessions.
URL variables (GET) are open and can be seen by user. They are also useful as it allows the user to bookmark the page and share the link.
PHP embeds the session id directly into URLs when cookies are disabled. Then, the session id becomes a value accessible thru an HTTP GET variable.