I want to make it possible for the administrator to log in as a fontend user from the backend. Right now I'm using two sessions (sessions with different names), one for the admin and one for the frontend.
Is it possible to write in the first session, close it and then open a new session?
This is a simplified version of what I attempted but failed:
session_name('admin_session');
session_start();
// use first session without generatring any output
session_close();
session_name('frontend_session');
session_start();
// use the second session
Thanks.
I have provided the facility for an administrator to switch to a "user" in the past.
I did this by serializing the admin user's $_SESSION and then storing that string as $_SESSION['adminData'] before overwriting all the other session vars with those of the user he was logging in as, and redirecting to the main page. The only different feature on the main page was an if test against $_SESSION['adminData'] that provided a "revert to admin" link... but to all intents and purposes, the administrator was now logged in as that user.
On clicking the "revert to admin" link, the code logic simply unserialized $_SESSION['adminData'].
Related
I have a website and a CMS panel located in sub-directory in the website. In the CMS panel I have session variables in which I write the username, level access etc.
The problem is that in the website I need to have user registration and login. When I try to log in the website, the two sessions are ovewritting each other and the end result is that the website session doesn't change(the user can't log in) and the CMS session receives the variables from the website session.
I searched the problem and saw someone suggesting that the two session should be named and therefore separated. I have session name on the website's session, but when I tried to name the second one I got server error.
The other thing that I saw was that the website's session is new with every page refresh, and this doesn't happen in the other one.
I don't have session_destroy or session_unset(regarding the session refresh problem).
What can be the problem and how to fix it?
EDIT
Maybe "ovewritting" is not the correct word. When I try to log in from the website nothing happens. When I try to log in the CMS I have the CMS session array AND the website's session array. I want them to be separated.
I have a user logged in admin panel(backend) and frontend of the joomla site. I checked the session table in DB and found that a session has been created for that user. I just deleted that row from DB and when I goto admin panel(backend), the user is logged out, which is correct.
But when I goto frontend of the site, the user is not logged out. So my question is "Is separate session maintained for frontend and backend for same user?" If it so then why I didn't find the 2 session rows in session table of DB? Is frontend session stored in separate table?
Also is there a way such that when I click on logout button, I logged out from both backend and frontend of the site?
I think this is due to the fact that removing the row from the #__session table does not fully clear the session. When manually logging out, the Session class is called and the session is destroyed, for example:
$session = JFactory::getSession();
$session->destroy();
Doing this also sets the session state to destroyed:
$this->_state = 'destroyed';
So you'll need to use PHP for this rather than removing tables from the database
The front and back ends are two separate and independent applications. So you can be logged into either or both and have separate sessions. It is possible to share a session also but that requires some work. What's odd to me is that you only saw one session in the table. Are you positive? Did you check the client value?
Have a session problem with application when opened in multiple tabs of a browser.
In my project a user can have multiple log in id's so he could log into the app with two id's
at the same time as two diferent users. but when they try to log in with two id in multiple
tabs of a browser. the same session of the browser is being shared and the data gets messed up.
Any insights to solve this issue?
I see a pattern in mail.yahoo.com , if i log into my mail.yahoo with one user id and try to login in
to other user id in the new tab. one of them logs out. Any idea how this could be done...
Thanks
Piecing this together from against other answers it sounds like you need multiple application streams.
That is, you have a situation where you need multiple "users" to be logged in to the application on different tabs on the same browser, same machine.
This isn't because they are different people using the machine, but rather the same person working with different personas.
It turns out, I've implemented something similar in the past myself, in order for managers to be able to "ghost" through a system as their staff members. They log in as the other user, but in a read only mode so they can see what's going on.
OK. So how to do it.
Put simply - the session isn't enough - you need more than that. The session ID is stored in a cookie on the client machine and there isn't really much you can do about the set-up - one browser = one session.
However, what you can do is split that session up with an application stream, or application context.
That is, don't store anything in the root of your session - split your session into distinct components into which you have a set-up identical to your current session.
The key for each session is then the "application stream" key. You need to pass this around in your URLs.
E.g.
Your current session may have a simple set-up:
$_SESSION['user'] = 'some username';
$_SESSION['role'] = 'power user';
Instead you store that as:
$_SESSION[0]['user'] = 'some username';
$_SESSION[0]['role'] = 'power user';
On all urls you add:
&appId=0
And whenever you reference your session you use something like:
$username = $_SESSION[ $_GET['appId'] ]['user'];
Obviously, you wrap all this up in a nice session handling class, but that's the basic idea.
If you want a link that generates a new login page with a new application stream, you simply change the appId on the link (or completely omit it and trap that in your login code).
E.g.
$sLoginLink = "<a href='/login.php?appId=" . generateNewAppStreamId() . "' target='_BLANK'>New Login Screen</a>";
As everything is still stored in the session, the whole of your application should work exactly the same - just as long as you always have the appId on every URL in the system.
I've tried to make the explanation as simple as possible - forgive me if I've used too many words.
If you want to use session then you must arrange such mechanism that only one user can be logged in same browser. At login page, check availability of session and it is already have a value than redirect your page to any logged in page like home, profile or whatever you have.
When the user logs out or logs in using a different user ID you must use session_regenerate_id() to force PHP use a different cookie for the new login.
This is actually the best practice on logout.
If you want to have two users logged in simultaneously from the same browser you have to put something in the URL to tell them apart. For example, after login, user #1 will see all the pages as http://www.example.org/1/... and user #2 will have its own customized URL (http://www.example.org/2/...). Then you need to use session_set_cookie_params() for each user with the correct value for parameter $path ('/1' for user #1, '/2' for user #2 and so on).
It's not recommended to use the user ID as customized user directory but to generate a hash from it.
I have a log in page which opens a profile page.Now when a user logs in the session is set.But i have not provided log out facility yet.So I can very well open the log in page and log in as a different user , without the sessions and cookies being destroyed.My question is when i log in the second time , which session does the browser use the previous one or the one which has been recently created.The profile page checks whether session is set or not.Can we have two sessions simultaneously for the same website.
Yup i agree with you SAM.
usually session user set for one user in one browser, and it will be automatic destroy by second user when login in same browser. I think it will be more configuration if you want two session with same value. for example facebook and twitter used one session simultaneously.
may be if you don't want destroy first session when second user login you can make function to check session is used or not.
Yes you can have two or more sessions you have to create with different names.
$_SESSION['user1']="some value";
$_SESSION['user2']="some value";
but if you are making only one session the new value will overwrite the previous one.
But it doesn't make sense why you want to login with 2 users simultaneously. You should provide more information.
I have a few scripts all linked to the same SQL database, but each one has its own admin.php
I have created links to the other admin.php(s) in the one I would consider the main admin panel.
as it is the same user name and ID how can I get the links to fill and submit the login details so I only have to login on the first admin panel and not each time a click a link to a new one
any help appreciated
You probably want to store some kind of authentication information in session data. Each time you access a script, it will check the session variables for some kind of security token. If it's there, it can use that to determine who has logged-in.
At the top of each PHP script (before you've output any HTML), include a call to session_start(). This will enable session information. You can then read/write elements in the $_SESSION superglobal array.
If you want the browser to remember the login for subsequent visits, you could also use cookie data. Just be aware that cookies are not particularly secure, so don't store usernames and passwords in them directly. Use some a unique encrypted/hashed token instead.