5

I am running my website (exactly same source code, even user login detail) on two different computers, each have their own apache. Users can access both websites via my port fwd setting.

For example, 10.10.10.10:81 to access website on computer A and 10.10.10.10:82 to access website on computer B.

User have no problem to access either one of them. Until user wanna access both of them at the same time using the same internet browser.

Login to website on computer B will log him/her out from website on computer A.

Why this happen? Because same IP Address will auto generate the same Session ID? Different ports won't have different Session ID? How to avoid this? Manually generate Session ID will do? Any other solution for this issue?

Thank you.

akjoshi
  • 15,374
  • 13
  • 103
  • 121
Wooi
  • 51
  • 1
  • 2

3 Answers3

2

Cookies are not specific to a port.

It means if a server that runs on 10.10.10.10:81 sets a cookie sessionId=123455 the same cookie will be sent to a server that runs on 10.10.10.10:80 . It leads to the scenario you described

  • A user goes to server 10.10.10.10:81
  • 10.10.10.10:81 server establishes a session for that user and sets the cookie.
  • The user logs in into the server and now can use the session to browse around.
  • User then goes to 10.10.10.10:80 and the browser sends the session cookie set by 10.10.10.10:81
  • Because 10.10.10.10:80 knows nothing about the session on 10.10.10.10:81 it establishes a new session and sets the new session cookie overwriting the old one
  • The new session cookie is only valid on 10.10.10.10:80 and thus the user is logged out on 10.10.10.10:81

Solutions

  • (Prefered) Configure different names for session cookies OR
  • Configure the server to pass the port parameter when setting the session cookie header. This will make the cookie specific to domain+port combination. Avoid this solution if possible because not all the browsers deal with this parameter correctly.
Community
  • 1
  • 1
Anatoli Kazatchkov
  • 21
  • 2
0

You've not given a lot of information, but if sessions are being maintained using cookies, and the same domain name is being used to obtain access to both sites, then the cookies will apply to requests to both sites.

When the user switches from site A to site B (using the same browser instance), the session cookie will be sent, but won't match an existing session ID - so a new session ID will be generated by site B and set as "the" session cookie.

Two general approaches to solving this - either use two different domain names for the two sites, or distinguish the session cookies in some other manner. You might be able to do this by configuring a different name to use for the session cookies in site A and site B. The specifics of doing this depend on the technology being used to create sites A and B - which you haven't told us about.

Damien_The_Unbeliever
  • 234,701
  • 27
  • 340
  • 448
  • Any other info do you need? I am using Yii (php), I didn't set any session or cookies manually. I am using IP address instead of domain name. I think using different IP/domain could avoid this, but I was given one IP address only. Thank you. – Wooi Nov 16 '12 at 09:14
  • @AlyshaSantana - I've not use Yii myself, but [`sessionName`](http://www.yiiframework.com/doc/api/1.1/CHttpSession) looks like a likely candidate for what you'd need to set. – Damien_The_Unbeliever Nov 16 '12 at 09:17
  • Sorry, I am not Alysha Santana, I don't know why I have this as my display name while I register. You mean I have to manually set my session? Any other solution, beside manually set session? Thank you. – Wooi Nov 16 '12 at 09:22
  • @Wooi - as I said, I've not use Yii myself, so I'm not going to pretend to be an expert. I found the above link by searching on `Yii session cookie name` - you may have better luck and more knowledge following other links. – Damien_The_Unbeliever Nov 16 '12 at 09:26
  • I think nothing to do with Yii, cause my other website which using java will have similar issue too. – Wooi Nov 16 '12 at 09:59
0

This is the example to solve it:

127.0.0.1:110
session_start();
$_SESSION['ss'] = 'll'; 
echo '<pre>';
var_dump( $_SESSION);

ouput: 
array(1) {
 ["ss"]=>
  string(2) "ll"
}

127.0.0.1:111
session_start(); 
echo '<pre>';
var_dump( $_SESSION);

ouput: 
array(1) {
 ["ss"]=>
  string(2) "ll"
}

After change session 's path

127.0.0.1:110
session_save_path('/tmp/sess');//This line must be wrote before session_start(),
session_start();
$_SESSION['ss'] = 'll'; 
echo '<pre>';
var_dump( $_SESSION);

ouput: 
array(1) {
 ["ss"]=>
  string(2) "ll"
}


127.0.0.1:111
session_start(); 
echo '<pre>';
var_dump( $_SESSION);

ouput: 
array(0) {
 }

 127.0.0.1:111
session_save_path('/tmp/sess');

session_start();
$_SESSION['ss'] = 'll'; 
echo '<pre>';
var_dump( $_SESSION);

ouput: 
array(1) {
 ["ss"]=>
  string(2) "ll"
}
Ruide Yen
  • 1
  • 1