Cookie? Session? users on same PC

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
sjgphoto
Forum Newbie
Posts: 2
Joined: Tue Nov 28, 2006 9:28 pm

Cookie? Session? users on same PC

Post by sjgphoto »

I'm writing a web-app (logbook) that is driving me nuts. I hope somebody here can shed some light on.

Here is a scenario of my problem:
User #1 logs in and makes an entry in the logbook. When finished, he does not logout, but leaves browser open.

User #2 sits down immediatly as User #1 gets up. Opens up another browser, logs in and makes his entry. He properly logs out and closes his browser out like a good security-minded employee.

PROBLEM:
When User #1 sits back down after User #2 gets done, and refreshes his screen, his login information changes from his login to User #2's login. The only way around this is to logoff User #2, close all browsers, and re-log back in.

The only thing I can think of is to have a timeout on the session. But this doesn't help much if the users leave multiple browsers windows open, even if they close out their logbook. Plus, users tend to not hit any kind of "logoff" button, which would properly terminate the session. Most just close the browser which should terminate the session, but if users have multiple browsers open at the same time, I believe the session remains active, even though the logbook was closed.

My QUESTION:
How do I enable multiple users, to login successfully, using the same computer, and keep them both seperated in the app at the same time?

Does any of this make sense? I hope somebody can help me.

Scott
sjgphoto
Forum Newbie
Posts: 2
Joined: Tue Nov 28, 2006 9:28 pm

Post by sjgphoto »

I guess I was abit too quick on the asking, because I think I just found my answer.

I have to call: session_regenerate_id() when a user logs in. Now my sessions are seperated with each user, even if on the same PC.



Scott
AGISB
Forum Contributor
Posts: 422
Joined: Fri Jul 09, 2004 1:23 am

Post by AGISB »

If you logout user 2 properly, user1 will not be able to use user2 login info as it was destroyed
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

There's something weird happening in your sessions. Since the user's are on the same PC (the main problem) you can limit the session lifetime so it expires and a user needs to login again. Usually this is a separate check of current time against last request time (anything over the limit triggers a call to session_destroy()).

Thing here is to force a logout quickly once a user's activity has stopped.
dacoolthings
Forum Newbie
Posts: 2
Joined: Wed Dec 13, 2006 9:48 pm

Kill the session cookie on the client side and server side.

Post by dacoolthings »

When user performs logout action, Make sure to kill the cookie on Server side and Client side.

Create the cookie as non-persistent cookie, which means do not store the cookie on user's hard disk. If you store the cookie on user's hard disk, all the browser windows will pickup the same cookie.

Thanks

Find more web information security at http://www.webinfosec.com
Post Reply