Preventing a user to stop accessing another user page on the same browser in different tab without logging in using session variable PHP

Question

Suppose, I have a login page located at https://www.example.com/a/login.php. After successful login, user redirects to https://www.example.com/a/admin.php. I have another login page located at https://www.example.com/b/login.php and after successful login user redirects to https://www.example.com/b/admin.php. Now suppose, In a browser, a user successfully logs in to https://www.example.com/a/login.php. and redirects to admin.php page. If another user tries to access the page https://www.example.com/b/admin.php directly without login page in the same browser in another tab, then he easily bypasses the login and reaches the admin.php page. My sample code is :

login.php

<?php
          session_start();
        // if user successful login 
        $_SESSION['user_id'] = $users_id 
        // we redirect user to member page
        if (isset($_SESSION['user_id']){
        header("Location:admin.php");
        }else{
        header("Location:login.php");
        }

   ?>

admin.php

    <?php
     session_start();
    if (!isset($_SESSION['user_id']){

        header("Location:login.php");
        }

    echo "welcom user : {$_SESSION['user_id']}";
    ?>

Is there any way so that if the second user tries to access https://www.example.com/b/admin.php, in another tab of same browser, then he will be redirect to https://www.example.com/b/login.php ?

Same browser, same server, same session. You might want to make a difference between both login, such as `$_SESSION['a']['user_id']` and `$_SESSION['b']['user_id']` — Cid, Jan 25 '19 at 08:03
What about somethinbg along the lines of `$_SESSION['user_logged_in_on_a']` and `$_SESSION['user_logged_in_on_b']`?. Or `$_SESSION['a']['user_id']` and `$_SESSION['b']['user_id']` as Cid suggested which is a far better solution. Of course both will only work if the full request links are actually different, (and they are). [This](https://stackoverflow.com/questions/6768793/get-the-full-url-in-php) may help in getting full request url in php. — Eugene Anisiutkin, Jan 25 '19 at 08:09

score -1 · Answer 1 · answered Jan 25 '19 at 08:07

Try setting another $_SESSION variable.. So like this:

<?php
          session_start();
        // if user successful login 
        $_SESSION['user_id'] = $users_id 
        $_SESSION['url'] = "a"; // a if https://www.example.com/a/login.php, b if https://www.example.com/b/login.php
        // we redirect user to member page
        if (isset($_SESSION['user_id']){
        header("Location:admin.php");
        }else{
        header("Location:login.php");
        }

   ?>

And at your https://www.example.com/a/admin.php , you should set it like this;

<?php
 session_start();
if (!isset($_SESSION['user_id'])){

    header("Location:login.php");
    }
elseif (!isset($_SESSION['url'])){

    header("Location:login.php");
    }
elseif ($_SESSION['url'] != "a"){

    header("Location:login.php");
    }

echo "welcome user : {$_SESSION['user_id']}";
?>

And then at your https://www.example.com/b/admin.php , you should set it like this;

<?php
 session_start();
if (!isset($_SESSION['user_id'])){

    header("Location:login.php");
    }
elseif (!isset($_SESSION['url'])){

    header("Location:login.php");
    }
elseif ($_SESSION['url'] != "b"){

    header("Location:login.php");
    }

echo "welcome user : {$_SESSION['user_id']}";
?>

Hope this helps you!

I won't do that, this means the user will have to re-log every time he switch from a tab to another one. — Cid, Jan 25 '19 at 08:11
Check my first comment in the question. `$_SESSION['a']['user_id']` and `$_SESSION['b']['user_id']` (I didn't downvote this answer) — Cid, Jan 25 '19 at 08:31

Preventing a user to stop accessing another user page on the same browser in different tab without logging in using session variable PHP

1 Answers1