0

my objective: I set two cookies over two different pathes containing session Ids

These two pathes are not common so cookies are not shared /baharshop/admin/ /baharshop/public/ in requests from /baharshop/admin/ only one session is created but in requests from /baharshop/public/ sessions keep creating and can't get a hold to previous session and also if I write session_start in /baharshop/public/ and only run requests from /baharshop/admin/ again new sessions are created for /baharshop/public/ without even runnig any requests from /baharshop/public/

now my project directory design is like this

  1. /baharshop/ -- root director
  2. /baharshop/admin/
  3. /baharshop/public/

upon loading any requests from /baharshop/admin/ I first include file config_admin.php to start one session only

config_admin.php

session_set_cookie_params((7 * (24*3600)), "/baharshop/admin/");
session_start();

then offcourse include the file in all /baharshop/admin/ applications

<?php require_once "../config/config_admin.php";?>
<?php
echo "<pre>";
print_r($_COOKIE);
echo "</pre>";

}
?>

and it works just fine

problem is upon only adding these lines in config_public.php 

config_public.php 
session_set_cookie_params( ((6*31) * (24*3600)), "/baharshop/public/");
session_start();

then for every request from "/baharshop/public/" new sessions keep creating again and again

<?php require_once "../config/config_public.php";?>

<?php

function get_content(): void{
    echo "<pre>";
    print_r($_COOKIE);
    echo "</pre>";
}
soLo
  • 11
  • 2
  • _"I create a file on server save it in cookie"_ - uhm, where? I do not see you explicitly setting an individual cookie containing that kind of information anywhere in what you have shown us so far. All I see you do, is mess with the _session_ cookie settings. – CBroe Jul 11 '23 at 08:02
  • @CBroe in config/config_admin.php ``` session_set_cookie_params(DAYS_TO_KEEP_SESSION_FILE_ADMIN_SESS_ID_IN_BROWSER_COOKIE, SESSION_SET_COOKIE_PARAMS_ADMIN_PATH); session_start();``` shouldn't these two lines create session and store session in cookie? check out github file – soLo Jul 11 '23 at 08:06
  • _"check out github file"_ - no, check out [ask] and [mre] - whatever information is necessary for us to be able to reproduce your problem, belongs directly into your question. – CBroe Jul 11 '23 at 08:10
  • _"shouldn't these two lines create session and store session in cookie?"_ - they should set session cookie parameters, and then start the session, yes. But what does that have to do with what you said you are doing - storing a file name into a cookie? (You are aware that the session _data_ is not actually stored _in_ the cookie, right?) – CBroe Jul 11 '23 at 08:11
  • @CBroe sorry for the misinformation. I edited question and added all the code needed. "storing a file name into a cookie?" "You are aware that the session data is not actually stored in the cookie, right?)" I wanted to say only session file name is stored in cookie under PHPSESSID KEY. I mean when a session is started a file is created on server. The name of the file is stores in cookie not the data. – soLo Jul 11 '23 at 08:21
  • _"and added all the code needed"_ - or, probably, much more than that. Sorry, but you are not supposed to just dump _everything_ here - but reduce it to the relevant parts. And a proper explanation of what you are even trying to _achieve_ here in the first place, would also not go amiss. – CBroe Jul 11 '23 at 08:26
  • @CBroe I appreciate your answers. I just moved relevant parts to end of the section. let me know if you need more information. and really thank you – soLo Jul 11 '23 at 08:43
  • Still not sure what exactly you are even trying to achieve here in the first place. Can't tell right now, whether the session would be the best place to store the info you need. What if your admin users explicitly log out of their session? Then you can set the cookie lifetime to seven days all you want ... – CBroe Jul 11 '23 at 08:52
  • @CBroe Lets say i simply want a cookie for admin folder, and another cookie for public folder, now these cookies must contain sessionid. Now public cookie value keeps changing which means new session in created each time so i cant keep customer logged in. And i store admin name and customer name in session – soLo Jul 11 '23 at 08:58
  • Let's stop using the terms "cookie" and "session" as if they were one any the same thing, first of all. If you want a separate session for your admin area - then you should (also) specify a different session _name_ for that, that is probably the easiest way to avoid cookie _path_ trouble. – CBroe Jul 11 '23 at 09:04
  • @CBroe thanks for your creative answer. How should i do that? I read something about session_regenare_id but couldnt get it to work – soLo Jul 11 '23 at 09:07
  • ID != name. session_regenerate_id is for cases in which you want to keep all the data in your current session, and only want to generate a new session ID at some point (for security or other reasons.) https://www.php.net/manual/en/function.session-name.php – CBroe Jul 11 '23 at 09:13

1 Answers1

0

The basics of a session in PHP:

session_name

  • The name of the session (not to be confused with the session_id !!!). It normally is PHPSESSID, but you can change it to something like SOMENAME if you want.
  • If you use sessions, all users of your site will have a cookie with this name, but all the cookies will have a different value, namely the...

session_id

  • A random id generated by PHP, for example: abcde12345
  • A _session file with the same name (sess_abcde12345) is created in de session storage folder on the server.
  • As the PHP script ends, the session_id is forgotten, but the session file still exists.
  • To know the name of the session file to use for a particular user, there is the...

session_cookie

  • a cookie in the browser, where the session_id is stored (only the id, no other data!).
  • the session_name is the NAME of the cookie.
  • the session_id is the VALUE of the cookie.
  • It is send to the server with every request and can be read by PHP so it can use the correct session file.

session_file

  • The file stored on the server by PHP, containing the data.
  • It can be accessed (after calling session_start()) by using $_SESSION[ somekey].
  • If the browser is closed, the session_cookie is deleted and the connection between user and the session file on the server is forever lost, unless you change the lifetime of the cookie. But I won't recommend that. It's called a session so use it for the period the user has your site open. Important data should be stored in a database or different folder and file, as the session file can deleted.

Now to your question: why use TWO different sessions for admin and user? ONE would do, as the session data is basically an array and can contain anything, and the session is - if you don't change settings - valid for the entire domain.

If the user logs in set $_SESSION['user_id']=userID. Every subsequent call to the server to request a user page or user data you can check if(!empty($_SESSION['user_id'])). If this is true the user is logged in.

The same goes for the admin pages. If the admin logs in, set $_SESSION['admin_id']=adminID and check in subsequent admin pages. (Instead of adminID you can also use the userID, as long as you use different array keys to check for: user_id for user pages and admin_id for admin pages.)

This can all be done by the same session, even in different tabs in your browser.

You can even differentiate between users with no admin rights and users with admin rights when they login as normal user. Simply set something like $_SESSION['IsAlsoAdmin']=true. In that case, the user can go from user pages directly to admin pages, without having to login again (and vice versa).

All that said, if you really, really want to use two different sessions, you have to change the path of the session cookie by using session_set_cookie_params. There, in the path part of the command, you have to differentiate to make the session cookie only valid for the admin part of your domain. But read this question and answer about the pitfalls of that approach.

Michel
  • 4,076
  • 4
  • 34
  • 52
  • I managed to solve the problem using your solution which is using only one session for root and all subdirectories The answer you attached was also very helpful But it was also for the case of root cookie being shared with subdirectories. in my case they are two different pathes.I saved one cookie in``` /baharshop/admin/ ``` and the other in ```/baharshop/public/``` so althoght cookies name are the same PHPSESSID but they are not shared. So the question still remains that why php engine keeps creating new sessions when accessing /baharshop/public/ directory and subdirectories – soLo Jul 12 '23 at 14:41