4

I'm doing some exercises on using sessions in php. I set it up this way:

$_SESSION['log_users'][] = array(array('Username'=>$username))

I tried to experiment on it. And found out that the session that is being generated is different when I use a different ip for accessing it. While using the same browser, which is firefox.

Here is what I did:

  1. Setup my router so that others will be able to access the exercise that I'm working on through the use of my external ip address.

  2. I then opened the localhost version of the exercise:

    http://localhost/exercise/sessions.php

  3. Then the one using the external ip address:

    http://201.xxx.xxx/exercise/sessions.php

  4. I then filled up the session array on each browser tab. And found out that each of those two keeps a different version of the session. Found out by using print_r($_SESSION['log_users'])

Is this really the way it should behave? Is there anything I can do so that there's only one version of the session? I'm currently using Wampserver 2.1

user225269
  • 10,743
  • 69
  • 174
  • 251
  • There are ways around this, but thy are complicated. Are you sure you need this? – Pekka Apr 22 '11 at 06:56
  • Yes, but if there are alternatives which could be easier. Then I'd like to do it. – user225269 Apr 22 '11 at 07:00
  • As far as I can think, there is no way without altering each URL and putting the session ID in it. See http://www.php.net/manual/en/session.idpassing.php for how it works – Pekka Apr 22 '11 at 07:04
  • Stackoverflow itself uses a HTML5 global storage whatevery thingy to maintain the authorization token across multiple domains. See http://stackauth.com/ and http://stackapps.com/ for a teensy bit of documentation. But that's likely overkill for your purpose. – mario Apr 22 '11 at 07:07

4 Answers4

4

The session is stored on server side and a session cookie is created on client side to identify the current session of browser which holds current session id.

The session cookie is stored based on the domain you are using to access the site.

Since you are using different domain one is localhost and another is ip which will create two different sessions.

When you visit pages through localhost domain. It will create session and store session cookie on the domain localhost. If you visit another page on same domain system will check if the session cookie exists it resume the old session and does not create new one.

While the same time if you access through ip the session cookie is not stored for this ip yet then system assume that there is no active session for this user and will start a new session and session cookie is stored for based on this ip.

This is the way how session works.

Hope this helps.

Shakti Singh
  • 84,385
  • 21
  • 134
  • 153
2

The session cookie is bound to a domain name. When you first access it, it will be bound to the localhost domain.

If you then point your browser to the 201.xx.xx.xx address, the domain name will no longer match. And your browser will not send this cookie again. This is why a new session will be generated. Even though it is factually the same server.

mario
  • 144,265
  • 20
  • 237
  • 291
0

In your case only $_SESSION will not be helpful for you. You should try with $_SESSION and Database also.

You should synchronize your session and database session record.

System will check your entry in database. If you have entry available then it will directly generate session for your site. This way only one login can be available for all browsers.

Sanjay Mohnani
  • 990
  • 7
  • 18
0

While the answer from Shakti Singh may be technically correct. The goal you seem to be trying to achieve is imo not reachable that way.

The way with session_id() plus database may look roughly like:

  • start session
  • tie session_id to username (in database)
From my checkpass.php
...

// Connects to your Database

...

    session_start();
    $sql = 'SELECT * FROM `login` WHERE `user`="xxUserxx"';
    $result = $db->query($sql);
    $row = $result->fetch_row();
        if ($_POST['passwort'] == $row[0])
        {
            if (!$db -> query('UPDATE `login` SET `sessionid`="'.session_id().'" WHERE `user`="xxUserxx"'))
            {
                die('UPDATE `login` SET `sessionid`="'.session_id().'" WHERE `user`="xxUserxx"<br>Was not able to create session in database! '.$db->error);
            }
            header('Location: backtothecalling.php');
            exit;
        }
        else
        {
            ?>
            <form action="" method="post">
                <input type="password" size="13"  maxlength="13" name="passwort" autofocus=TRUE required>
                <input type="submit" value="login">
            </form>
            <?php
        }
  • check regularly if this login is still active and valid.

// Connects to your Database

...

        //Already logged in? ...
        session_start(); #Starts or continues a session. this gives you a session id.
        $sql = 'SELECT * FROM `login` WHERE `user`="xxUserxx"';
        if (!$result = $db->query($sql))
        {
            die("Couldn't get user data from database. Message: ".$db->error);
        }
        $row = $result->fetch_row(); #In $row[1] is now the session_id from the last successful login.
        if (session_id() != $row[1]) #Check for valid login (compare actual session_id with the one in db).
        {
                                                #If not already logged in, checkpass.php gives a
                                                #login screen and asks for login factors,
            header ('Location: checkpass.php'); #and will store valid session_id in db.
            exit;
        }
    #From here on you are correctly logged in, continue with whatever you want to do here with the user (in my case there is only one user, so keep that in mind if you miss username checks in my code).

...
TTorai
  • 84
  • 6