1

I've just started using PHP and have run into a rather odd issue with using sessions and google chrome.

I start a session and set some variables when a user first logs in, and then access the session variables at different points across my web-app, which is working as expected. The problem is that if someone else visits the web-app from a different computer (on the same network), they are treated as being logged in as the first user.

What's weirder is that this only seems to occur when using chrome. If I sign-in using firefox or IE, then navigate to the app on a separate computer (using any browser) the problem doesn't occur.

Clearing cookies in chrome seems to work, but I would like to know why this is happening to prevent security problems in the future.

Gnarlywhale
  • 4,030
  • 2
  • 15
  • 18
  • This other stack post seems like it might be related, but I don't see how it would impact browsers on separate computers. [link](http://stackoverflow.com/questions/10617954/chrome-doesnt-delete-session-cookies) – Gnarlywhale Jul 27 '15 at 20:25
  • only way that could happen is if the SAME session ID is issued more than once. so... check `session_id()` everywhere... – Marc B Jul 27 '15 at 20:25
  • I went through all the places where the session is accessed and only set session_id() once... in the user logout. I think it was left there from when I first wrote the logout, following an example. I've gotten rid of it and also set `sessoin_regenerate_id(true);` on the user login. Think that must've been it. – Gnarlywhale Jul 27 '15 at 20:55
  • 1
    generally speaking, you should never call `session_id()` in write mode yourself. not unless you have a valid reason for overriding the random number generator that PHP uses itself to generate those ids. if you do `session_id('foo')`, then EVERYONE is going to be sharing the same session. – Marc B Jul 27 '15 at 20:58

0 Answers0