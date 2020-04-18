Confusion over PHP sessions

I’m at the point of testing my website with 2 users logged in and ran into a frustrating problem. I log in on one device as User A, all goes well. But I log in on another device as user B, it logs them in fine, but suddenly user A’s session info reflects the session info of user B. So user B is now logged into both devices. And these are entirely different devices. One is a laptop running on windows, another is a phone running on android. I can even confirm when printing the session id that user B’s session is the active session for both accounts.

In my login page:

if(session_status() == PHP_SESSION_ACTIVE)
{
 echo "SID=" . session_id() . "<br>";
}
var_dump($_COOKIE);

In my verifylogin page:
if(session_status() == PHP_SESSION_NONE)  
{
 session_id($_POST['Username']);
 session_start();
 session_regenerate_id(true);
}

and in my home page after login:
if(session_status() == PHP_SESSION_NONE) 
{
  session_start();
}

I had session_start() in my login page originally but after reading stuff took it out and decided not to start the session until the verifylogin script. session_start() is supposed to automatically create a different session for each new client so I’m confused why thats not happeneing

Also, using 2 different browsers, I can get it to work fine on localhost, so not sure if my server configuration is off or what. I can verify that a new sess_xxxxx file is getting created for the separate logins. But it seems to only be able to have one active at a time

Hi @wainwrightsrule and a warm welcome to the forum.

The above script is incorrect usage of session_start() and will generate errors.

Try adding these lines to the start of the PHP files:

<?php 
declare(strict_types=1);
error_reporting(-1);
ini_set('display_errors','1');

// Your script
OK, will do

Got it error free, still overwriting the session so the last person I log in ends up logged in on all devices, and all browsers. Am I supposed to store the session id for the user and use that to access their specific session?