Hi everyone here is my problem. I inherited a huge PHP website from another person at a company. This website uses sessions. It also has user control. For instance an Admin has all rights, a SuperUser has less rights, and a User has the least rights. My website uses frames.
With the advent of tabbed browsing here is what is happening. I will create a simple example to help explain my problem.
If an Admin user logs into the site he can see the navigation on the left side and lets say there is an admins pictures link, a superuser pictures link, and a users pictures link.
I want the Admin user to see everyones pictures, the SuperUser can only see the superusers pictures and users pictures, and the User can only see the users pictures. Also just hiding the link is not sufficient. I need to prevent them from navigating to the page manually.
Here is what happens. If an User logs in on tab1 and leaves the tab open, then opens tab2 and an Admin logs in, now on the tab1 the User is allowed access with the same rights as Admin.
What I would like to do is...
If a User logs in on tab1, and then an Admin opens another tab2 and logs in. I would like the User on tab1, as soon as he tries to navigate to another page or perform an action to automatically be kicked out to the login page. Basically killing that window.
I need my website to allow multiple sessions, but not from the same browser on the same computer, so that one cannot high-jack someone else's credentials and perform duties they are not supposed to do.
Does this make sense?
thanks
Okay I have a crisis here about PHP and sessions.
Moderator: General Moderators
Re: Okay I have a crisis here about PHP and sessions.
I dont really understand why you would have two people logged onto your website on one computer with different permissions?
Re: Okay I have a crisis here about PHP and sessions.
I don't want that.
I need to have this web page be able to support sessions. So that multiple Users or multiple Admins or multiple SuperUsers (or a mixture of all 3) can log into the website on different client computers and perform actions without interfering with each other.
The problems lies with tabbed browseing. Lets say a careless person is on computer1 logged in as User. Then another person comes up to the same computer1 and opens a new tab and logs in as Admin. Lets say the Admin forgets to hit Logout and just closes the tab.
If the User comes back the user will now have full admin rights.
So what I want to do is...
If a user is logged in with one session ID. And another user comes along and logs in with the same session ID, I want to destroy the first session ID and keep the new one.
So I am not sure how to write the PHP code to do this. And I don't know where to put it.
Does that make better sense? Sorry I am kinda a novice with PHP sessions.
I need to have this web page be able to support sessions. So that multiple Users or multiple Admins or multiple SuperUsers (or a mixture of all 3) can log into the website on different client computers and perform actions without interfering with each other.
The problems lies with tabbed browseing. Lets say a careless person is on computer1 logged in as User. Then another person comes up to the same computer1 and opens a new tab and logs in as Admin. Lets say the Admin forgets to hit Logout and just closes the tab.
If the User comes back the user will now have full admin rights.
So what I want to do is...
If a user is logged in with one session ID. And another user comes along and logs in with the same session ID, I want to destroy the first session ID and keep the new one.
So I am not sure how to write the PHP code to do this. And I don't know where to put it.
Does that make better sense? Sorry I am kinda a novice with PHP sessions.
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
Re: Okay I have a crisis here about PHP and sessions.
Prior to logging in, apply
to destroy the existing session.
Code: Select all
$_SESSION = array();- social_experiment
- DevNet Master
- Posts: 2793
- Joined: Sun Feb 15, 2009 11:08 am
- Location: .za
Re: Okay I have a crisis here about PHP and sessions.
The user in this situation has some accountability when using the system to ensure no malicious user can access it.The problems lies with tabbed browseing. Lets say a careless person is on computer1 logged in as User. Then another person comes up to the same computer1 and opens a new tab and logs in as Admin. Lets say the Admin forgets to hit Logout and just closes the tab.
As for the question about forgetting to logout, depending on your script you should have a check in place, when the login page is loaded, that checks for any values that might be left over from prior logins. This could be session variables or database values (script dependant).
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering