PHP Session login crossing between sites on same server

Question

I have CentOS LAMP with multiple sites. I use PHP session variable for the log into the wesites. My problem is if you log into one site you can open another site on the same server and you will be logged in. The sites are completely separate so I want them to have to log into each separately. Each site has a different user DB.

Here are the session variables I am populating upon login.

$_SESSION["username"] = "$username";
$_SESSION["user_id"] = "$user_id";
$_SESSION["act_type"] = "$act_type";

I have created a a little sample so you can recreate the problem

There is 2 separate sites: /var/www/html/site1 /var/www/html/site2

Each site has 2 pages index.php, secure.php If I log into one I can open secure.php on the other site to.

/var/www/html/site1/index.php

<?php

session_start();

$user = 'jane';
$pass  = '654321';

if ( $user == $_POST[user] AND $pass == $_POST[pass] ) {

    $_SESSION[user] = $user;
    header("location: secure.php");
}
else {
    echo "Bad Login";
}

?>

<form name="form1" method="post" action="index.php">

    Username: <input name="user" type="text">
    <br />
    Password: <input name="pass" type="password">
    <br /><br />
    <input type="submit" name="Submit" value="Login">
</form>

/var/www/html/site1/secure.php

<?php

session_start();

if ( !isset($_SESSION[user]) ) {

    header("location: index.php");
}

?>
Secure Page

/var/www/html/site2/index.php

<?php

session_start();

$user = 'joe';
$pass  = '123456';

if ( $user == $_POST[user] AND $pass == $_POST[pass] ) {

    $_SESSION[user] = $user;
    header("location: secure.php");
}
else {
    echo "Bad Login";
}

?>

<form name="form1" method="post" action="index.php">

    Username: <input name="user" type="text">
    <br />
    Password: <input name="pass" type="password">
    <br /><br />
    <input type="submit" name="Submit" value="Login">
</form>

/var/www/html/site2/secure.php

<?php

session_start();

if ( !isset($_SESSION[user]) ) {

    header("location: index.php");
}

?>
Secure Page

Answer 1

I was in a similar situation as yourself, two sites on the same server and using IP (company intranet). Had issue where they were crossing for login, and also destroying each other if you logged out on either. My solution was to use a prefix for the session variables to signify the individual sites.

Session Variables

Site 1

$_SESSION["s1_username"] = $username;
$_SESSION["s1_user_id"] = $user_id;
$_SESSION["s1_act_type"] = $act_type;

Site 2

$_SESSION["s2_username"] = $username;
$_SESSION["s2_user_id"] = $user_id;
$_SESSION["s2_act_type"] = $act_type;

^That will keep the login information separate between the two sites, so they won't "bleed" over to one another. But what about when we log out? Won't session_destroy() get rid of ALL of the variables? Here is what I did for that:

Destroying Session / Logging Out

Site 1

foreach($_SESSION as $key => $value)
{
  if (strpos($key, 's1_') === 0)
  {
   unset($_SESSION[$key]);
  }
}

Site 2

foreach($_SESSION as $key => $value)
{
  if (strpos($key, 's2_') === 0)
  {
   unset($_SESSION[$key]);
  }
}

^This prevented my websites from destroying each others variables if you logged out on one, and not the other.

Hope this helps someone out there not waste 6 hours like I did! :D

Answer 2

You should use

session_name( 'site1' );
session_start();

You're creating a session tuple like site1.user which is overriding php.ini's default PHPSESSID.

Call it on your logging page index.php, session.php logout.php. This is most common login file skeleton or every time you call session_start(), session_name(<sess_name>) should precede.