-2

I have a php site that some times when I load a page gets $_SESSION values from another user, but when I refresh the page it's all ok.

For example, I logged in as User A, navigate through the site and then in a page I get the session from User B. I refresh the page and get again the correct info from User A.

This is the file "db.php" that use with require_once in every file in my site. I put this at the very beginning of all my scripts: 

<?php
    if(!isset($_SESSION)){session_start();}

    $mysqli = new mysqli("localhost", "", "", "");

    if ($mysqli->connect_errno) {
        echo "Error: (" . $mysqli->connect_errno . ") " . $mysqli->connect_error;
    }

    $mysqli->set_charset("utf8");

    include("functions.php");
    date_default_timezone_set('America/Mexico_City');
?>

Also I use a shared hosting, which has this values set:

session.gc_maxlifetime = 604800;
session.save_path = /var/cpanel/php/sessions/ea-php56;

I have a "header.php" required once in each page, that has this query to get and show the username of the current user. This is where I get noticed that something is wrong with the session, but I don't know why:

$query=sprintf("SELECT * FROM tblusers WHERE user=%s",$_SESSION['ADMINID']);
$info=$mysqli->query($query);
$c=$info->fetch_assoc();

The login is done in this way. cpass() is a function that crypts the pass to check it against the database. The login is done ok, and after some browsing I encounter the problem:

<?php
    if(isset($_POST['user'])&&isset($_POST['pass'])){
        $user=$mysqli->real_escape_string(trim($_POST['user']));
        $pass=cpass($mysqli->real_escape_string(trim($_POST['pass'])));
        $query=sprintf("SELECT * FROM tblusers WHERE user=%s AND pass='%s'",$user,$pass);
        $check=$mysqli->query($query);
        if($check->num_rows==1){
            $r=$check->fetch_assoc();
            $_SESSION['ADMINID']=$r['userid'];
            session_regenerate_id(true);
            header("Location: /");exit;
        }
    }
?>

The logout is handled this way:

<?php
    if(!isset($_SESSION)){session_start();}
    $_SESSION=array();
    unset($_SESSION);
    session_unset();
    session_destroy();
    if(isset($_GET['url'])){
        header("Location: ".$_GET['url']);
    }else{
        header("Location: /");
    }
?>

Thanks in advance!

damox10
  • 11
  • 1
  • 4
  • 6
    this sounds very unlikely. Sessions are not shared between users. It's also hard to see how you think the code you've shown might be relevant. Are you sure this mistaken data is really from the _session_, and not maybe from a faulty database query? It would be more relevant to show us the page where you encounter this problem, and give some sample data to allow it to be reproduced. – ADyson Jul 26 '18 at 15:16
  • 5
    You can call session_start without the if. – BenRoob Jul 26 '18 at 15:17
  • I think you are somehow getting a page cached in the browser – RiggsFolly Jul 26 '18 at 15:18
  • Plus, we don't know what the query looks like as well as other files using sessions. – Funk Forty Niner Jul 26 '18 at 15:21
  • 1
    "Sessions are not shared between users" @ADyson Only when the shared hosted is badly configured this https://stackoverflow.com/questions/18262878/how-to-prevent-php-sessions-being-shared-between-different-apache-vhosts/18263063#18263063 (post of mine) is possible.. Topicstarter is using session.save_path so he is save. – Raymond Nijland Jul 26 '18 at 15:24
  • @RaymondNijland good point, although that implies the same session ID could be shared between two sites on the same host. I'm not clear that it could result in the problem described in this question (even without session.save_path configured), where (allegedly) the session ID of one user of the same site is confused with another user of the same site? – ADyson Jul 26 '18 at 15:28
  • mine comment was more meant as a heads up @ADyson the topicstarters problem could also be the cause of a loadbalancer or some kind of proxy which is tunneling the data to a wrong client.. Or there is a critical error with in session handling code. – Raymond Nijland Jul 26 '18 at 15:43
  • @ADyson I put more info in the question. – damox10 Jul 26 '18 at 16:11
  • @RaymondNijland I added more info and read your post. Thanks. – damox10 Jul 26 '18 at 16:14
  • Why is `session_start();` in the if statement? – Isaac Jul 26 '18 at 16:16
  • @Isaac I write that a long time ago, there is no point of it now. I’ll remove that :) – damox10 Jul 26 '18 at 16:24
  • @damox10 has my answer helped in anyway? – Isaac Jul 26 '18 at 16:47
  • @Isaac I think that already I’m doing what you suggested. Thanks anyway :) – damox10 Jul 26 '18 at 16:51
  • you still haven't really explained _where_ the problem happens. Is it some specific page? The logic in your login code looks basically ok on the face of it. – ADyson Jul 27 '18 at 05:31

1 Answers1

1

Simple fix, when you have a login script that works, you can provide something like this at the end of it to give them a $SESSION tied in with their userID in your database.

Login.php

//login code

.....

//
//if successful
            $_SESSION['user_id'] = $user['username'];
        $_SESSION['logged_in'] = time();

        header( "Location: /home.php" );
        die();

And then at the top of your homepage ( I presume this is where you want an echo like you are logged in as 'user123'

home.php

<?php 
session_start();
if(isset($_SESSION['user_id']) || isset($_SESSION['logged in'])){ 
echo 'whatever you want here'
?>
Isaac
  • 784
  • 10
  • 23