Sessions Are Being Hijacked... By Default?
Posted: Wed May 20, 2009 7:48 pm
On a site I'm running it seems that users will end up in each others' sessions, as in you can click on the home page and see "You're logged in as <someone else>"! I can't for the life of me understand why. I've tried specifying session IDs and names, and I call session_regenerate_id() on every page. I must be missing something terribly obvious. I can log on and off just fine as long as I'm the only user, but simultaneous users have been causing this problem.
Each page has this in a universal header:
And the login page has this (after the above code, since it also includes that .inc file):
I'm sure I deserve to be laughed at, but I've gone over the PHP session handling many times, I'm reading The Truth About Sessions and trying to understand it... maybe I should stick to client-server apps.
Any help is appreciated! My temporary desperate hack is to verify the user's browser and IP address in the .inc file, which helps but is no panacea.
Thanks,
Jonathan
Each page has this in a universal header:
Code: Select all
session_start();
session_regenerate_id();
Code: Select all
$userName = $_REQUEST["userName"];
$shaPassword = $_REQUEST["shaPassword"];
$res = Data::signIn($userName, $shaPassword); // Verify the pwd in MySQL
if ($res instanceof User)
{
session_regenerate_id(true);
$_SESSION["msg"] = "<p>You've been signed in. Welcome back!</p>";
$_SESSION["user"] = $res;
}
Any help is appreciated! My temporary desperate hack is to verify the user's browser and IP address in the .inc file, which helps but is no panacea.
Thanks,
Jonathan