Sessions apply in more than one website

Question

I have made 2 websites that use a log in system and everything works fine on both of them. The user can log in and log out of both. I am using xampp and have both websites open in Chrome in two tabs. On both websites I have the email address of the user displayed when the user logs in. The problem is when I log into website A al the switch to website B and refresh the page I am logged in on that website as well with the email address that I logged in with on website A. This address that is display also displays when there is no account associated with the apposite website. My question is how do restricted the session to the single website.

This is the login action

 <?php
 include 'db.inc';
 session_start();
 $UserEmail =$_POST["EmailAddress"];
 $UserPassword =$_POST["Password"];
 $query = "SELECT * FROM members WHERE EmailAddress = '$UserEmail' 
         AND  password = '$UserPassword' "; 

$connection = mysql_connect($hostname, $username, $password) or die ("Unable to  connect!"); 
mysql_select_db($databaseName) or die ("Unable to select database!"); 
$result = mysql_query($query) or die ("Error in query: $query. ".mysql_error()); 
// see if any rows were returned 
if (mysql_num_rows($result) > 0) { 
    $_SESSION["authenticatedUser"] = $UserEmail;
      // Relocate to the logged-in page
     header("Location: Index.php");
  } 
  else 
   {

    $_SESSION["message"] = "Could not log in as $UserEmail " ;
     header("Location: Login.php");
    }    
 mysql_free_result($result); 
 mysql_close($connection); 

 ?>

And this is when the user is logged in.

<?php
session_start();
if (!isset($_SESSION["authenticatedUser"]))
{
  $_SESSION["message"] = "Please Login";
   header("Location: Login.php");
}
else
 { ?>

This is where the user email address is displayed

<div class="Login">
<ul>
<?php if(isset($_SESSION['authenticatedUser']) && $_SESSION['authenticatedUser'] != null ) {?>
<li><a href="ProfilePage.php">Welcome <?php echo $_SESSION["authenticatedUser"] ?></a>    </li>
   <li><a href="logout.php"><span>Log Out</span></a></li>
<?php } else {?>
 <li><a href="login.php"><span>Log In</span></a></li>
 <?php } ?>

Hope this is all relevant!

I guess they are both running on the same machine under the same URL? Could you give more specifics about the setup? — pintxo, May 10 '14 at 14:08
yes they are both on the same machine and I'm using xampp and accessing them both through localhost. — Kie21, May 10 '14 at 14:10
Website A is http://localhost/WebsiteA/HTML/Index.php Website B is http://localhost/WebsiteB/HTML/Index.php — Kie21, May 10 '14 at 14:20
**Danger**: You are using [an **obsolete** database API](http://stackoverflow.com/q/12859942/19068) and should use a [modern replacement](http://php.net/manual/en/mysqlinfo.api.choosing.php). You are also **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that a modern API would make it easier to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. — Quentin, May 10 '14 at 14:27

score 1 · Answer 1 · answered May 10 '14 at 14:23

1

I would recommend you read this manual page:

http://de2.php.net/manual/en/session.examples.basic.php

and this wiki page:

http://en.wikipedia.org/wiki/HTTP_cookie#Domain_and_Path

and the source of your problem should be clear.

answered May 10 '14 at 14:23

pintxo

2,085
14
27

score 0 · Accepted Answer · answered May 10 '14 at 14:25

A session is usually handled on the browser side by a cookie. A cookie has a domain: the site and path to which the cookie applies. Look at the cookies that are set in your browser; your site's session cookie likely has a domain that applies to both of your web sites.

You'll need to make sure that the path on each site's session cookie is specific enough that the other site won't pick it up.

Sessions apply in more than one website

2 Answers2