14

I run foo.com. I have two different applications that live in foo.com: one is foo.com/bar, and the other is foo.com/example. I use sessions to track information about the user while they're logged in, but if the user goes from foo.com/bar to foo.com/example, foo.com/example sees the session the user started from foo.com/bar and uses that information. My question is, how can I have two different sessions going for each directory at the same time?

Matthew
  • 7,605
  • 7
  • 39
  • 39

6 Answers6

47

You should call session_name before calling session_start. This sets the name of the cookie used to identify the session (by default this is PHPSESSID).

Use a different name for each application. You shouldn't have to mess with the variables inside the session.

Craig
  • 4,750
  • 22
  • 21
6

I think it's very important to highlight the potential security implications associated with the solutions provided so far. I have been a web application penetration tester for about 5 years and have developed numerous vulnerable security applications in this time to assist with training of juniors starting out in IT security.

I have just been testing the solutions provided and have noted that none of them prevent access to a session belonging to the neighbouring app. Using different session identifier names with session_name() doesn't prevent users from using the value of these identifiers. PHP doesn't have a segregated storage for each session identifier name. I had two apps using different session names and setting a cookie path for the browser. The following respective Set-Cookie directives were included in HTTP responses:

Set-Cookie: TESTONE=<value one>; path=/testone/

Set-Cookie: TESTTWO=<value two>; path=/testtwo/

If both apps had entirely separate users and someone only had access to the /testtwo/ app, they may be able to access info on the /testone/ app depending on the way in which session parameters were being handled. An example code segment below shows a potential data breach assuming that both apps use a $_SESSION["authenticated"] parameter after successful authentication.

<?php 
    session_name("TESTONE");
    ini_set("session.cookie_path","/testone/");
    session_start();
    if ($_SESSION["authenticated"] == "yes")
        echo $topsecretinfo;
?>

To access this $topsecretinfo one would only need to authenticate on the /testtwo/ application, take the value of their TESTTWO session identifier and use it as the value of the TESTONE session identifier when sending requests to the /testone/ application. PHP's session lookup process does not recognise the name of the session identifier except for parsing the correspoding value. i.e. a session identifier value of "agcy648dja6syd8f93" will return the same session object regardless of the name used to refer to it.

SomeGuy
  • 478
  • 4
  • 8
2

You may be able to use session_set_cookie_params to set the domain and folder for the session to be saved under. IE:

// Used on foo.com/example
session_set_cookie_params(86400, '/example');

// Used on foo.com/bar
session_set_cookie_params(86400, '/bar');
Steven Surowiec
  • 10,030
  • 5
  • 32
  • 37
  • This doesn't appear to work; I've tried it before (and just now again) without success. It might have to do with my global php.ini settings. – Matthew Aug 28 '09 at 18:24
  • You need to add trailing backslash to path. Without it it will certainly not work. – Anti Veeranna Aug 28 '09 at 18:32
  • If you have access to the php.ini you could try setting the 'session.cookie_path ' parameter directly as that's what this function is supposed to override. You could also use ini_set() if you don't have access to the php.ini file. – Steven Surowiec Aug 28 '09 at 18:33
  • According to [comments on php.net](https://www.php.net/manual/en/function.session-name.php#89090), "you MUST use `session_name()` first if you want to use `session_set_cookie_params()`... Otherwise it won't work, won't give any error, and nothing in the documentation (that I've seen, anyway) will explain why." I have not verified this. – showdev Nov 15 '19 at 01:01
1

You could also use the same session but change the variable names that you look for.

Edit: Sorry this doesn't answer your question but gives an alternative solution.

user103219
  • 3,209
  • 11
  • 39
  • 50
0

I realize this is old, but thought it might help someone. This example shows how we are setting a separate session for our admin area.

if ( $_SERVER['REQUEST_URI'] == '/admin/' ):
    $session_name = 'session1';
else:
    $session_name = 'session2';
endif;
session_start( $session_name );
Trevor Lettman
  • 76
  • 1
  • 4
  • It doesn't seem that [`session_start()`](https://www.php.net/manual/en/function.session-start.php) accepts a name in that format. It expects the [options parameter](https://www.php.net/manual/en/function.session-start.php#refsect1-function.session-start-parameters) to be an "associative array of options that will override the currently set [session configuration directives](https://www.php.net/manual/en/session.configuration.php)". – showdev Nov 15 '19 at 00:38
  • Correct for PHP 7.x. This is an old post - it worked for whatever version of PHP we were using in 2012. – Trevor Lettman May 11 '20 at 20:48
0

Another solution is to effectively create a namespace within your session by pre-pending all session values from foo.com/bar with "bar_" and foo.com/example with "example_".

The way you can keep this from being tedious is to abstract this functionality into a function or class method. For example:

function set_session_value($key, $value) {

  //figure out which prefix to use by checking the current working 
  //directory, or whatever method you like. set $prefix equal to
  // "bar_" or "example_".

  $_SESSION[$prefix . $key] = $value;
}

Then get your values with a matching function.

The main advantage of this is that you don't have to think about what variable names you're using in /example while programming in /bar. The other is that if you decide to change how you are storing session values, you can easily change everything in one place.