I have a two diff. project on my XAMPP
say it is Project1
and Project2
.
When i login with Project1
, i check authentication and if it is successful then stored session. The session name is $_SESSION['username']
.
The above process is same with Project2
.
now,to prevent direct access,i use this code(in both project):
if($_SESSION['username']=="")
{
header("location:index.php");
}
so when i login with Project1
, i am also access Project2
(without login).
To prevent this, i know that if i create diff. session name for both project then it is solved.
The above thing is in my local server. so i can create diff. session name for my all project.
But suppose my site is online and what happen if my session name is match with diff. site?
There is a millions of websites and there is a possibility that my session name is match with another website's session name.Then this might be happen that some user access my website with another website(in same browser) and he might be access my site without login.
So what happen if session is same for two diff. website? Can user is access my website without login? If yes then what should i do to prevent it?
Thanks in advance.
UPDATE
according to @Let me see
's answer there is a possibility that if two sites are running on the same server then they may share the data.
So suppose the server is sharing then what should i do to prevent it?
Besides session hijacking, one session is always tied to just one user. Do I have to link the session somehow with the username on login If you don't store which user is using that session, is there any point in having user accounts? @Epodax It is not!
It must be on every page you intend to use. The variables contained in the session—such as username and favorite color—are set with $_SESSION, a global variable. In this example, the session_start function is positioned after a non-printing comment but before any HTML.
Make sure session_start() is at the top of every page you wish to use sessions on. Then you can refer to session variables just like in your example. Show activity on this post. Check that the session cookie is being sent to the browser on the first hit and getting returned by the browser in subsequent requests.
Session is safer for storing user data because it can not be modified by the end-user and can only be set on the server-side. Cookies on the other hand can be hijacked because they are just stored on the browser.
Sessions are (usually) stored using cookies, and cookies are domain-specific. So, it doesn't matter if google.com or evilhackerdomain.ru uses the same session name as your app; your cookies are only readable/usable by the domains you specify. Even in the unusual scenario that sessions are managed in some other way, it will be domain-specific.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With