LightOpenID is only using the first AuthURL returned despite individual PHP Sessions being started

Question

Here's my login code below, it's pretty standard. Why would a user who presses login on steamcommunity. Below this code is a quick debug output I threw together which demonstrates that although 2 AuthURLs are being sent, for some reason LightOpenID is applying the first returned result to every user attempting to authenticate through steam at a similar time. I.e. getting to steamcommunity and signing in.

 <?
 ob_start();
 session_start();
if(isset($_GET['logout']))
{
    if(isset($_COOKIE[session_name()])):
        setcookie(session_name(), '', time()-7000000, '/');
    endif;

    if(isset($_COOKIE['login_user'])):
        setcookie('login_user', '', time()-7000000, '/');
    endif;

    session_unset();

    session_destroy();

    header("Location: index.php");
}

include "kern/apikey.php";
include "kern/openid.php";
$OpenID = new LightOpenID("xxxxxx.com");

if(!$OpenID->mode)
{
    if(isset($_GET['login']))
    {
        $OpenID->identity = "http://steamcommunity.com/openid";
        header("Location: " . $OpenID->authUrl());
    }
    if(!isset($_SESSION['SteamAuth']))
    {
        $login = "<div id=\"login\">In order to access the panel, you must <br /><br /> <a href=\"?login\"><img src=\"http://cdn.steamcommunity.com/public/images/signinthroughsteam/sits_large_noborder.png\"/></a></div>";
    }
} else if ($OpenID->mode == "cancel")
{
    echo "Authentication Cancelled...";
} else {
    if($OpenID->validate())
    {


        $id = $OpenID->identity;

        $_SESSION['SteamID64'] = str_replace("http://steamcommunity.com/openid/id/", "", $id);
        $_SESSION['SteamAuth'] = true;

        $Steam64 = str_replace("http://steamcommunity.com/openid/id/", "", $id);
        $profile = file_get_contents("http://api.steampowered.com/ISteamUser/GetPlayerSummaries/v0002/?key={$api}&steamids={$Steam64}");
        $steam = json_decode($profile, true);
        $communityid = $steam['response']['players'][0]['steamid'];
        $authserver = bcsub($communityid, '76561197960265728') & 1;
        $authid = (bcsub($communityid, '76561197960265728')-$authserver)/2;
        $_SESSION['SteamID'] = "STEAM_0:" . $authserver . ":" . $authid;
        $_SESSION['SteamName'] = $steam['response']['players'][0]['personaname'];

        header("Location: index.php");
    } else {
        echo "User is not logged in";
    }
}

?>

<html>
<body>
<div id="title">Login</div>
<div id="content">
<?
    echo $login;
?>
</div>
</body>
</html>

See the log file below which indicates the AuthURL is being sent twice, but only a single response is actually being used:

[09-Nov-2014 14:09:52 America/Chicago] Begin login!
[09-Nov-2014 14:09:52 America/Chicago] Sent authurl!xxxxx

[09-Nov-2014 14:10:03 America/Chicago] Begin login!
[09-Nov-2014 14:10:03 America/Chicago] Sent authurl!xxxxx

[09-Nov-2014 14:10:10 America/Chicago] Begin login!
[09-Nov-2014 14:10:11 America/Chicago] Got identity!http://steamcommunity.com/openid/id/xxxx

[09-Nov-2014 14:10:11 America/Chicago] Using Steam64!xxxx

[09-Nov-2014 14:10:11 America/Chicago] Using string steam64!xxxx

As you can see, although 2 AuthURLs are being sent at a similar time, as soon as one identity is returned it applies it to both users, meaning people get logged into the incorrect accounts.

This issue appears entirely reproducible using the https://github.com/SmItH197/SteamAuthentication PHP examples.

Steps to reproduce: 1. First user clicks "Log in through steam", hangs at the steamcommunity.com OpenID login. 2. Second user clicks "Log in through steam", hands at steamcommunity.com login. 3. Both users then click through, one will be logged in as the other.

Answer 1

Tested this on an external webserver, turns out it seems to be due to server/PHP config down the line, not entirely sure why it's happening or what the cause is, so my solution will be to move my steamauth to another server for now.