PHP Multiple Concurrent Sessions Per User

Question

I'm working on a web app using PHP on Apache. $_SESSION variables are used quite a bit for the information that must persist across pages.

We need each user to be able to open multiple concurrent sessions, either as new tabs or new windows, depending on their choice of browser. Right now when a user opens an addition tab or window and goes to the site the existing session is adopted. How can I prevent this so that the user must (or may) log in and start a new session, without it interfering with any existing session(s) they already have open?

Our temporary workaround is to use multiple browsers (IE and FF) but that's obviously not a very desirable way of doing things.

Answer 1

The behavior you describe opposes the concept of a browser session. Why would a user want more than one session? Is it a matter of user access controls needing to be enforced? If so, assign users to logical groups and grant permissions to specific groups. Do users need to perform some action on behalf of other users? If so, design the website around that concept instead of trying to create multiple sessions for a single user.

If you really have to do this, you could do something horrible like pass along a query parameter (very insecure!) between pages to act as a session ID, bypassing the actual $_SESSION altogether and managing your own concept of a session. Again, this is not normal and will only lead to headaches/security issues in the future.

Answer 2

Non-Atomic Concurrent Session Management access can be simulated with the following pseudo coded logic:

function main(){
  $locker = new SessionLocking();
  /** read elements the $_SESSION "cached" copy. **/
  $var1 = $_SESSION['var1'];
  $var2 = $_SESSION['var2'];
  /** Pseudo Atomic Read **/
  $locker->lock(); //session is locked against concurrent access.
  $var3 = $_SESSION['var3'];
  $locker->unlock(); //session is committed to disk (or other) and can be accessed by another script.
  /** Psuedo Atomic Write **/
  $locker->lock(); //session is locked against concurrent access.
  $_SESSION['var4'] = "Some new value";
  $locker->unlock(); //session is committed to disk (or other) and can be accessed by another script
}

CLASS SessionLocking {

private static $lockCounter=0;
private static $isLoaded=false;

function __constructor(){
  if (!self::$isLoaded) load();
}

private function load(){
 $this->lock();
 $this->unlock();
}

private function lock(){
  if ($lockCounter<1) try {session_start();} Catch(){}
  $lockCounter++; 
}

private function unlock(){
  if ($lockCount<1) return;
  $lockCounter--;
  if ($lockCounter<1) try {session_write_close();} Catch(){}
}
}

Answer 3

This would be very difficult to do, if at all possible.

Sessions should not have to worry about which tab they are in.

Also, what happens if session 1 in tab 1 opens a new window? Is it a new session?