I have CentOS LAMP with multiple sites. I use PHP session variable for the log into the wesites. My problem is if you log into one site you can open another site on the same server and you will be logged in. The sites are completely separate so I want them to have to log into each separately. Each site has a different user DB.
Here are the session variables I am populating upon login.
$_SESSION["username"] = "$username";
$_SESSION["user_id"] = "$user_id";
$_SESSION["act_type"] = "$act_type";
I have created a a little sample so you can recreate the problem
There is 2 separate sites: /var/www/html/site1 /var/www/html/site2
Each site has 2 pages index.php, secure.php If I log into one I can open secure.php on the other site to.
/var/www/html/site1/index.php
<?php
session_start();
$user = 'jane';
$pass = '654321';
if ( $user == $_POST[user] AND $pass == $_POST[pass] ) {
$_SESSION[user] = $user;
header("location: secure.php");
}
else {
echo "Bad Login";
}
?>
<form name="form1" method="post" action="index.php">
Username: <input name="user" type="text">
<br />
Password: <input name="pass" type="password">
<br /><br />
<input type="submit" name="Submit" value="Login">
</form>
/var/www/html/site1/secure.php
<?php
session_start();
if ( !isset($_SESSION[user]) ) {
header("location: index.php");
}
?>
Secure Page
/var/www/html/site2/index.php
<?php
session_start();
$user = 'joe';
$pass = '123456';
if ( $user == $_POST[user] AND $pass == $_POST[pass] ) {
$_SESSION[user] = $user;
header("location: secure.php");
}
else {
echo "Bad Login";
}
?>
<form name="form1" method="post" action="index.php">
Username: <input name="user" type="text">
<br />
Password: <input name="pass" type="password">
<br /><br />
<input type="submit" name="Submit" value="Login">
</form>
/var/www/html/site2/secure.php
<?php
session_start();
if ( !isset($_SESSION[user]) ) {
header("location: index.php");
}
?>
Secure Page
I was in a similar situation as yourself, two sites on the same server and using IP (company intranet). Had issue where they were crossing for login, and also destroying each other if you logged out on either. My solution was to use a prefix for the session variables to signify the individual sites.
Session Variables
Site 1
$_SESSION["s1_username"] = $username;
$_SESSION["s1_user_id"] = $user_id;
$_SESSION["s1_act_type"] = $act_type;
Site 2
$_SESSION["s2_username"] = $username;
$_SESSION["s2_user_id"] = $user_id;
$_SESSION["s2_act_type"] = $act_type;
^That will keep the login information separate between the two sites, so they won't "bleed" over to one another. But what about when we log out? Won't session_destroy()
get rid of ALL of the variables? Here is what I did for that:
Destroying Session / Logging Out
Site 1
foreach($_SESSION as $key => $value)
{
if (strpos($key, 's1_') === 0)
{
unset($_SESSION[$key]);
}
}
Site 2
foreach($_SESSION as $key => $value)
{
if (strpos($key, 's2_') === 0)
{
unset($_SESSION[$key]);
}
}
^This prevented my websites from destroying each others variables if you logged out on one, and not the other.
Hope this helps someone out there not waste 6 hours like I did! :D
You should use
session_name( 'site1' );
session_start();
You're creating a session tuple like site1.user
which is overriding php.ini's default PHPSESSID
.
Call it on your logging page index.php
, session.php
logout.php
. This is most common login file skeleton or every time you call session_start()
, session_name(<sess_name>)
should precede.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With