PHP Handling sessions and cookies different folder

Question

I've a problem. I've created a web app where the person logs in and many $_SESSION[...] are set. The point I found weird is that if I log in in the folder http://demo.site.com/ and I log in in http://webapp2.site.com I get the session data mixed up in the two web apps...

This is the code in the checkentry.php (which check the person is logged in before sending it to the main page:

<?php
session_start();
    if(isset($_SESSION['autenticated']) && $_SESSION['autenticated'] == TRUE && isset($_COOKIE["login"]) && $_COOKIE["login"] == $_SESSION['ssnid']){
        if (!isset($_SERVER['HTTPS']) ){
            //header('Location: https://'.$_SERVER["HTTP_HOST"].$_SERVER["REQUEST_URI"].'');
        }   
        return true;
    }else{
        require_once("config.php");
        $logout_connect = mysql_connect($db_host, $db_user, $db_pass);
        if (!$logout_connect){
            die('Impossibile connettersi: ' . mysql_error());
        }else{
            mysql_select_db($db_name, $logout_connect);
            mysql_query("DELETE FROM sessions WHERE ssnid = '".$_SESSION['ssnid']."' AND userid = '".$_SESSION['userid']."'");
            setcookie("login", "", time()-3600);
        }
        session_destroy();
        header("location: login.php?requested");
    }
?>

So the problem is the fact that If I'm logged in in both web app (and in the same domain has many web-apps in different folders) I get the $_Session data mixed.

[EDIT] When I log out from app1.site.com I get logged out from app2.site.com too...

What did I do wrong and how to fix it?

Tku

would you please explain it in more detail? what do you mean by mix up? — Nickool, Apr 07 '13 at 11:36
This question has some good insights on this problem: http://stackoverflow.com/questions/1064243/php-sessions-across-sub-domains — aurbano, Apr 07 '13 at 11:39
@nikparsa: Let's say in the checklogin.php the password and user are correct there are many $_SESSION[...] set (like: $_SESSION['name'] = "App One") and when logging in the App2 the name is "App One" because they get mixed up... — Mr.Web, Apr 07 '13 at 12:09

score 1 · Accepted Answer · answered Apr 07 '13 at 12:33

1

You can use a pre title for all session variables and change pre title in each web applications.

APP1

$pre = "app1";
if(isset($_SESSION[$pre.'autenticated']) && $_SESSION[$pre.'autenticated'] == TRUE) {}

APP2

$pre = "app2";
if(isset($_SESSION[$pre.'autenticated']) && $_SESSION[$pre.'autenticated'] == TRUE) {}

$pre can define in config.php

answered Apr 07 '13 at 12:33

Ashkan Arefi

665
4
7

Bravissimo! That's a good one. Tks, I'll try it and let you know. What about session_destroy()? Because if I log out from one I get logged out from the other one too as I get session destroyed... P.S: Do you think this can cause security issue? – Mr.Web Apr 07 '13 at 12:39
You can use session_unregister($pre.'var1'); session_unregister($pre.'var2'); , ... to logout from each app. – Ashkan Arefi Apr 07 '13 at 13:05
OK, as I have MANY Session variables is there a way to do them all @ once? (perhaps session_unregister($pre.'*'); ???? ) – Mr.Web Apr 07 '13 at 13:14
Use this: foreach($_SESSION as $key => $value) if(substr($key,0,strlen($pre))==$pre) session_unregister($key); – Ashkan Arefi Apr 08 '13 at 08:24

PHP Handling sessions and cookies different folder

1 Answers1