Multiple Sessions (Overlap Problem)
Posted: Mon Mar 27, 2006 2:21 pm
I am trying to develop a centeralized login system for my site. Ideally, the user logs in only once and then have access (based on their given permissions) to various resources. For example, a user with the "domain_admin" right would have access to the MySQL administrative front-end while anyone with the "domain_user" right would have access to squirrelmail. The problem is that I am getting session overlapping. Their centralized login token is stored in on session named SS_SESS_ID. When the user accesses a permission based page, the script attempts to validate them as being logged in and having the required permissions. If they don't they are re-directed to the login page or told they have insufficient permissions. If they have sufficient permissions, the page loads normally. The problem is that scripts that use sessions as part of their normal function overlap with the centralized token. For example:
Is this the correct logic I should be using with my authentication system? Perhaps I should employ logic to prevent more than one session from being used per request (i.e. forward the user to the appropriate page if validation is successfull).
Right now I am using my authentication code to "wrap" the target application. For example:
If an application takes $_POST['user'] and $_POST['pass'] to validate a user, my auth code inputs values into $_POST to match what is needed, thus bypassing the login page that the target application implements. Is this logic appropriate?
In particular, I had one script that would write all of its session data into the centralized authentication session (this is bad since both the auth session and the script session used many of the same names). I ended up creating an auth_landing.php file that would read the appropriate data and forward the user to the script page thus preventing the script from accessing the auth session. Will I have to do this with all my scripts.
It seems to me that if you do the follow, everything should work as expected with data being stored to its respective session:
Any thoughts would be greatly appreciated.
Code: Select all
$old_name = session_name();
//validate_user opens the centralized authentication session and verifies user authenticity
//also, validate_user calls session_regenerate_id to prevent session fixation
if(!validate_user()) {
session_write_close();
session_name($old_name); //restore old session name (PHPSESSID)
header('Location: login page');
exit();
}
elseif(!user_has_right('domain_admin')) {
session_write_close();
session_name($old_name);
header('Location: error page');
exit();
}
session_write_close();
session_name($old_name);
//squirrelmail code which utilizes sessionsRight now I am using my authentication code to "wrap" the target application. For example:
If an application takes $_POST['user'] and $_POST['pass'] to validate a user, my auth code inputs values into $_POST to match what is needed, thus bypassing the login page that the target application implements. Is this logic appropriate?
In particular, I had one script that would write all of its session data into the centralized authentication session (this is bad since both the auth session and the script session used many of the same names). I ended up creating an auth_landing.php file that would read the appropriate data and forward the user to the script page thus preventing the script from accessing the auth session. Will I have to do this with all my scripts.
It seems to me that if you do the follow, everything should work as expected with data being stored to its respective session:
Code: Select all
session_name('SESSION_ONE');
session_start();
//manipulate some session data
session_write_close();
session_name('SESSION_TWO');
session_start();
//mamipulate some more session data
session_write_close();