Confusion over PHP sessions

I’m at the point of testing my website with 2 users logged in and ran into a frustrating problem. I log in on one device as User A, all goes well. But I log in on another device as user B, it logs them in fine, but suddenly user A’s session info reflects the session info of user B. So user B is now logged into both devices. And these are entirely different devices. One is a laptop running on windows, another is a phone running on android. I can even confirm when printing the session id that user B’s session is the active session for both accounts.

In my login page:

if(session_status() == PHP_SESSION_ACTIVE)
 echo "SID=" . session_id() . "<br>";

In my verifylogin page:
if(session_status() == PHP_SESSION_NONE)  

and in my home page after login:
if(session_status() == PHP_SESSION_NONE) 

I had session_start() in my login page originally but after reading stuff took it out and decided not to start the session until the verifylogin script. session_start() is supposed to automatically create a different session for each new client so I’m confused why thats not happeneing

Also, using 2 different browsers, I can get it to work fine on localhost, so not sure if my server configuration is off or what. I can verify that a new sess_xxxxx file is getting created for the separate logins. But it seems to only be able to have one active at a time

Hi @wainwrightsrule and a warm welcome to the forum.

The above script is incorrect usage of session_start() and will generate errors.

Try adding these lines to the start of the PHP files:


// Your script

OK, will do

Got it error free, still overwriting the session so the last person I log in ends up logged in on all devices, and all browsers. Am I supposed to store the session id for the user and use that to access their specific session?

I’m back on the desktop.

I am unable to understand exactly what you are trying to achieve and convinced that the majority of script is not necessary. With sessions I usually:

  1. test and set session only if sessions are not set
  2. test for particular session parameters and set only if required
  3. a session is unique to each browser
<?php declare(strict_types=1);
error_reporting(-1); // maximum errors 
ini_set('display_errors', '1'); // show errors on screen - DO NOT SET ONLINE

if( isset( $_SESSION ) ) :
  // this page has been included/required by another page
// only set if required
   $_SESSION['title'] = $_SESSION['title'] ?? 'TITLE NOT SET???';

I played about with your script and created the following index-001.php test page which can be copied and renamed to index-002.php. Variables $home, $page, $clr1 and $clr2 require changing in order to get the second page to toggle.

<?php declare(strict_types=1);

echo substr( strrchr(__file__, '/'), 1);
$home   = 'index-001.php';
$page   = 'index-002.php';

$style  = 'background: snow; border:solid 2px red; padding: 0.22em;';
$clr1   = 'background: lime;'; 
$clr2   = 'background: cyan;'; 

  # In my verifylogin page:
  if(session_status() == PHP_SESSION_NONE)  
   $_POST['Username'] = $home;

   # ERROR 
     # session_id($_POST['Username'] ?? $home . ' UserName not set');
     session_id('123'); // ' = 123;

   $_SESSION['title'] = '$_SESSION["title"] ==> ' .$home;

  #  and in my home page after login:
  if(session_status() == PHP_SESSION_NONE) 

  $sess   = print_r($_SESSION, TRUE);
  $cookie = print_r($_COOKIE,  TRUE);
  $active = 'NOT ACTIVE';
  if(session_status() === PHP_SESSION_ACTIVE)
    $active = "<h3> SID=" . session_id() . "</h3>";

echo $tmp = <<< ____EOT
  <h1> file: $home </h1>
  <div style="$clr1 width:88%; margin: 0 auto;">
    <pre> \$_SESSION ==> $sess </pre>

    <pre> \$cookie ==> $cookie </pre>

  <h2> Switch: <a href="$page" style="$clr2"> $page </a> </h2>

  $_POST['Username'] = $home;
  echo '<pre>$_POST["Username"] ==> '; 
    print_r($_POST) ;
  echo '</pre>';  

o.O? This… is… I can’t think that this is possible, unless your host is doing some disastrous caching…

I know, according to PHP documentation it should automatically create a unique session for every client but I got it working. I create a unique id, set it as the session id, start the session, then store the id in a cookie. So on main pages I grab the cookie, set session id to it’s value, and start the session.

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.