0

I am making a php based application. When two users are logged in from same the browser in different tabs then they can access each other page. How to prevent this?

kaiz.net
  • 1,984
  • 3
  • 23
  • 31
Tushar Sippy
  • 13
  • 1
  • 5
  • Why? Other than making the user type in a username/password for every request, I don't know it's possible, much less practical. – Jared Farrish Jun 10 '12 at 05:29
  • "Restrict user access" in title - "can access" in question??? – slash197 Jun 10 '12 at 05:29
  • What you *really* need to do is make sure that you don't somehow allow a browser to login two different users. That's usually how web apps work in this regard. IE, if a user tries to access the login screen or form, have them logout first, or automatically log the other user out if the login page or form is requested. – Jared Farrish Jun 10 '12 at 05:35
  • Why would 2 users be using different tabs in the same browser? Cookies for a site exist for the whole browser session, not for each tab. Plus, what If I decide to click on the other tab? – gen_Eric Jun 10 '12 at 05:41
  • Wait. How can 2 users be logged in to the same website in different tabs in the first place? That's impossible! – gen_Eric Jun 10 '12 at 05:44
  • @Rocket - Nothings impossible if you don't know it or "luck" into it. Somebody gets a little *crafty* and fiddles something that's totally sidways with unusual flaws? I've seen it from beginner and junior developers. It's amazing how ingenius some of their flaws really can be. `:)` – Jared Farrish Jun 10 '12 at 05:46
  • @JaredFarrish: I guess, but think about it. If he managed to have a site where 2 users can be logged in in different tabs in the same browser, wouldn't the problem have solved itself? This question is really confusing >. – gen_Eric Jun 10 '12 at 05:47
  • @Rocket - They're not "logged into different tabs". They may have "logged in using different tabs to access the login form", but they're not "logged into a tab". That's a moot point, isn't it? – Jared Farrish Jun 10 '12 at 05:48
  • Wait. By `logged in` do you mean actually "logged in" (like authenticated)? Or `logged in` as just viewing the page? Can you explain a bit more? This is a really confusing question. – gen_Eric Jun 10 '12 at 05:48
  • @Rocket, having many users logged in is not possible (or at least very hard) if you use cookies for session identification. If you pass the session identifier as a GET/POST parameter, it's totally possible to have many users logged in from the same browser. – zneak Jun 10 '12 at 05:50
  • 2
    @Rocket - It's possible (now that I think about it) to have two different users logged into a the same browser in different "app/path contexts", but within a "shared site context". In other words, if your app is at `http://example.com/rocketsapp` and my app is at `http://awesome.example.com/jaredsapp`, the cookies/sessions could in theory identify a user who could access both if the session overlaps the "logged in" flag or check and the session cookie is set to the subdomain and not the path extension. It's possible... And obviously a flaw. – Jared Farrish Jun 10 '12 at 05:54
  • @zneak: True, but if that's what the OP was doing, then the problem would be solved in the first place. – gen_Eric Jun 10 '12 at 05:54

4 Answers4

0

I see there 4 solutions:

  1. You could just try to give that window (in this case tab) a name to detect a special window with JavaScript:

    if(window.name==4711) {...}

  2. Use a session with a GET parameter and not with a cookie.

  3. Use a random sub domain with normal cookies that operates on that subdomain.

  4. Use a normal cookie which is restricted to a "virtual" directory which not really exists with the usage of mod_rewrite. Idea based on this comment.

Community
  • 1
  • 1
rekire
  • 47,260
  • 30
  • 167
  • 264
  • How is that going to prevent someone from just selecting the other tab? – Jared Farrish Jun 10 '12 at 05:29
  • I understand the question is this way that a solution is searched to login in one browser with multible accounts. This is wich cookie based sessions not possible. – rekire Jun 10 '12 at 05:34
  • @JaredFarrish: That concept makes this entire question moot. I'd like to know why this is an issue the OP feels he needs to solve. – gen_Eric Jun 10 '12 at 05:42
  • @Rocket - Yeah, I know. See my other comments. I think the concern is "bogus" as in worrying about something that is "unreal" or having a poorly built authentication process. – Jared Farrish Jun 10 '12 at 05:44
  • @JaredFarrish: Plus how can 2 users be logged in in different tabs at the same time in the same browser? How is that even possible? – gen_Eric Jun 10 '12 at 05:45
  • @Rocket - I don't think that's material. The OP may not realize it's one browser session, not a session by tab or whatnot. – Jared Farrish Jun 10 '12 at 05:47
  • rekire, [on principle](http://me.veekun.com/blog/2012/03/24/on-principle/) even having this problem is an anti-pattern and the result of a poor design. I don't think your solutions will do anything other than complicate the problem unnecessarily, and I doubt work reliably enough not to piss off the users. Unless there's some revelatory explanation by the OP that suddenly makes this "make sense", the real solution is to fix access. – Jared Farrish Jun 10 '12 at 06:05
  • That last solution (based on my comment) *could* actually **allow** more than one user to log into an app which may segregate user's "areas of access" by URL path. So, for instance, if you have an app, and I had an "area" found at `http://example.com/app/bigmoney/` and you have an "area" found at `http://example.com/app/wonderland/`, if the sessions were not sharing the same method of caching a user assigned to the user, I could possibly access your area "as you". The two "areas", in other words, are distinct enough that they would need an SSO model to share and ensure user identification. – Jared Farrish Jun 10 '12 at 06:16
  • Well that one with random subdomains is used by web.de since years. The domains will look a little ugly but that works fine even without js. On the example of web.de you can have different mailboxes open at once. So far I see nothing which piss off the user. Your Last comment is not compleatly clear for me. – rekire Jun 10 '12 at 06:16
  • Can two users be logged in simultaneously, or does it require a user to logout before granting access to another part of the site belonging to another user? – Jared Farrish Jun 10 '12 at 06:17
  • What you're describing is actually a problem that needs to be controlled by carefully managing the login procedure, not by designing around the effect. Deal with the root cause, not the consequence itself. EDIT: Can two different be logged into the same site while in the same browser? – Jared Farrish Jun 10 '12 at 06:20
  • Well, if that's how they want to handle it. I think it's unfair to the users if that's the case. – Jared Farrish Jun 10 '12 at 06:21
0

Use $_SESSION or $_COOKIE to store a generated key that is created when a user logs in and update your database so that when a user changes a page, you access their information based on that generated key. Also you need might want to create a simple function that checks the key and than use another function for your page, if it's like a menu bar or login box, wrap it inside an if statement like

if(checkUser($_COOKIE['MYSID'])){
   // User is logged in so show whatever
} else {
   // Login box here
}
Bobby
  • 4,332
  • 5
  • 32
  • 39
  • 2
    Cookies are not tied to a tab or window, AFAIK. Still doesn't prevent someone from just *clicking on the other tab*. – Jared Farrish Jun 10 '12 at 05:34
  • You're right, Cookies are not based to just one tab or window, but if you are using Cookies as a source of logging in and added a part within the site that checks if a cookie exists, thus not allowing another person to login does prevent what he's asking. – Bobby Jun 10 '12 at 05:39
  • The flaw is that, apparently/maybe?, the OP has built a system that somehow allows multiple users to be signed in from the same browser session. Fix that, don't implement some complicated "fix" for a problem that shouldn't even take place. IMO. – Jared Farrish Jun 10 '12 at 05:42
0

use window.name property or set cookie for each user by time of opening browser tab.

Maziar Aboualizadehbehbahani
  • 1,976
  • 17
  • 37
0

you application is not checking if user is currently logged in or not so what you have to do first when user enters credentials and logs in set a session variable

$_SESSION['logged_in'] = "true";

then you have to make some modification to your index page as follows at the beginning of page

<?
if($_SESSION['logged_in']=='true'){
header('location:USERS_SPECIFIC_PAGE_AFTER_LOGIN.EXT')
}
else{
header('location:login_page.ext');
}

?>
sohaan
  • 261
  • 1
  • 4
  • 9