Confusion over PHP sessions

wainwrightsrule · April 18, 2020, 11:39am

I’m at the point of testing my website with 2 users logged in and ran into a frustrating problem. I log in on one device as User A, all goes well. But I log in on another device as user B, it logs them in fine, but suddenly user A’s session info reflects the session info of user B. So user B is now logged into both devices. And these are entirely different devices. One is a laptop running on windows, another is a phone running on android. I can even confirm when printing the session id that user B’s session is the active session for both accounts.

In my login page:

if(session_status() == PHP_SESSION_ACTIVE)
{
 echo "SID=" . session_id() . "<br>";
}
var_dump($_COOKIE);

In my verifylogin page:
if(session_status() == PHP_SESSION_NONE)  
{
 session_id($_POST['Username']);
 session_start();
 session_regenerate_id(true);
}

and in my home page after login:
if(session_status() == PHP_SESSION_NONE) 
{
  session_start();
}

I had session_start() in my login page originally but after reading stuff took it out and decided not to start the session until the verifylogin script. session_start() is supposed to automatically create a different session for each new client so I’m confused why thats not happeneing

wainwrightsrule · April 18, 2020, 11:40am

Also, using 2 different browsers, I can get it to work fine on localhost, so not sure if my server configuration is off or what. I can verify that a new sess_xxxxx file is getting created for the separate logins. But it seems to only be able to have one active at a time

John_Betong · April 18, 2020, 11:53am

Hi @wainwrightsrule and a warm welcome to the forum.

The above script is incorrect usage of session_start() and will generate errors.

Try adding these lines to the start of the PHP files:

<?php 
declare(strict_types=1);
error_reporting(-1);
ini_set('display_errors','1');

// Your script

wainwrightsrule · April 18, 2020, 11:58am

OK, will do

wainwrightsrule · April 18, 2020, 12:41pm

Got it error free, still overwriting the session so the last person I log in ends up logged in on all devices, and all browsers. Am I supposed to store the session id for the user and use that to access their specific session?

John_Betong · April 19, 2020, 6:30am

I’m back on the desktop.

I am unable to understand exactly what you are trying to achieve and convinced that the majority of script is not necessary. With sessions I usually:

test and set session only if sessions are not set
test for particular session parameters and set only if required
a session is unique to each browser

<?php declare(strict_types=1);
error_reporting(-1); // maximum errors 
ini_set('display_errors', '1'); // show errors on screen - DO NOT SET ONLINE

if( isset( $_SESSION ) ) :
  // this page has been included/required by another page
  //  STARTING ANOTHER SESSION WILL GENERATE ERRORS
else:
  // LOOKS LIKE A STANDALONE PAGE
  session_start();
endif;
// only set if required
   $_SESSION['title'] = $_SESSION['title'] ?? 'TITLE NOT SET???';

I played about with your script and created the following index-001.php test page which can be copied and renamed to index-002.php. Variables $home, $page, $clr1 and $clr2 require changing in order to get the second page to toggle.

<?php declare(strict_types=1);

echo substr( strrchr(__file__, '/'), 1);
$home   = 'index-001.php';
$page   = 'index-002.php';

$style  = 'background: snow; border:solid 2px red; padding: 0.22em;';
$clr1   = 'background: lime;'; 
$clr2   = 'background: cyan;'; 

# ESSENTIAL - SET BEFORE ANY RENDERING 
  # In my verifylogin page:
  if(session_status() == PHP_SESSION_NONE)  
  {
   $_POST['Username'] = $home;

   # ERROR 
     # session_id($_POST['Username'] ?? $home . ' UserName not set');
     session_id('123'); // ' = 123;

   session_start();
   session_regenerate_id(true);
   $_SESSION['title'] = '$_SESSION["title"] ==> ' .$home;
  }

  #  and in my home page after login:
  if(session_status() == PHP_SESSION_NONE) 
  {
    session_start();
  }

  $sess   = print_r($_SESSION, TRUE);
  $cookie = print_r($_COOKIE,  TRUE);
  $active = 'NOT ACTIVE';
  if(session_status() === PHP_SESSION_ACTIVE)
  {
    $active = "<h3> SID=" . session_id() . "</h3>";
  }

echo $tmp = <<< ____EOT
  <h1> file: $home </h1>
  <div style="$clr1 width:88%; margin: 0 auto;">
    <br>
    <pre> \$_SESSION ==> $sess </pre>

    <pre> \$cookie ==> $cookie </pre>
  </div>

  <h2> Switch: <a href="$page" style="$clr2"> $page </a> </h2>
  $active
____EOT;


  $_POST['Username'] = $home;
  echo '<pre>$_POST["Username"] ==> '; 
    print_r($_POST) ;
  echo '</pre>';

m_hutley · April 19, 2020, 8:36am

o.O? This… is… I can’t think that this is possible, unless your host is doing some disastrous caching…

wainwrightsrule · April 19, 2020, 11:46am

I know, according to PHP documentation it should automatically create a unique session for every client but I got it working. I create a unique id, set it as the session id, start the session, then store the id in a cookie. So on main pages I grab the cookie, set session id to it’s value, and start the session.

system · July 19, 2020, 6:46pm

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.