Page 1 of 1

Cookie? Session? users on same PC

Posted: Tue Nov 28, 2006 10:12 pm
by sjgphoto
I'm writing a web-app (logbook) that is driving me nuts. I hope somebody here can shed some light on.

Here is a scenario of my problem:
User #1 logs in and makes an entry in the logbook. When finished, he does not logout, but leaves browser open.

User #2 sits down immediatly as User #1 gets up. Opens up another browser, logs in and makes his entry. He properly logs out and closes his browser out like a good security-minded employee.

PROBLEM:
When User #1 sits back down after User #2 gets done, and refreshes his screen, his login information changes from his login to User #2's login. The only way around this is to logoff User #2, close all browsers, and re-log back in.

The only thing I can think of is to have a timeout on the session. But this doesn't help much if the users leave multiple browsers windows open, even if they close out their logbook. Plus, users tend to not hit any kind of "logoff" button, which would properly terminate the session. Most just close the browser which should terminate the session, but if users have multiple browsers open at the same time, I believe the session remains active, even though the logbook was closed.

My QUESTION:
How do I enable multiple users, to login successfully, using the same computer, and keep them both seperated in the app at the same time?

Does any of this make sense? I hope somebody can help me.

Scott

Posted: Tue Nov 28, 2006 11:17 pm
by sjgphoto
I guess I was abit too quick on the asking, because I think I just found my answer.

I have to call: session_regenerate_id() when a user logs in. Now my sessions are seperated with each user, even if on the same PC.



Scott

Posted: Tue Dec 05, 2006 11:10 am
by AGISB
If you logout user 2 properly, user1 will not be able to use user2 login info as it was destroyed

Posted: Tue Dec 05, 2006 11:48 am
by Maugrim_The_Reaper
There's something weird happening in your sessions. Since the user's are on the same PC (the main problem) you can limit the session lifetime so it expires and a user needs to login again. Usually this is a separate check of current time against last request time (anything over the limit triggers a call to session_destroy()).

Thing here is to force a logout quickly once a user's activity has stopped.

Kill the session cookie on the client side and server side.

Posted: Fri Dec 15, 2006 1:31 pm
by dacoolthings
When user performs logout action, Make sure to kill the cookie on Server side and Client side.

Create the cookie as non-persistent cookie, which means do not store the cookie on user's hard disk. If you store the cookie on user's hard disk, all the browser windows will pickup the same cookie.

Thanks

Find more web information security at http://www.webinfosec.com