I have a very, very complicated problem that only affects some people at my work, so bear with me. The problem is that logging in to and out of our web app (PHP website that uses sessions and cookies) doesn't work for some people.
We use Edge or Chrome at my company, and the problem affects both browsers. The problem only affects SOME people though, but it doesn't matter if they are logged in to a virtual desktop or a phat client. Therefore, I am assuming the problem has to do something with their computer settings (because both Edge ánd Chrome are affected). If said persons log in using their account on someone elses computer/desktop, everything works just fine, so it's definitely not on my web app's end. Also, when I try to log in on a desktop of one of the affected people, it also happens to me, again proving that this is something related to either browser settings (something that affects both Edge and Chrome?) or computer settings.
The problem is actually pretty freaky, because when an affected person opens up their browser on a fresh windows session and fresh browser session, said user will immediately be logged in to my web app. The Dev Tools reveal that there is a PHPSESSID that is the same as before the person in question closed all browser tabs or even restarted their PC. Even when said person logs out of the web app (session_destroy(), unset($_SESSION), unset($_COOKIE), etc. etc. etc.), when they open a new tab or a new browser window (even when they close and re-open the browser entirely), their old session is back AGAIN and they are once more logged in.
The second part of the problem is less freaky, but also annoying. When these affected users log in (or are still logged in when opening a new browser), they will be returned to the login screen when they click any link within the web app. E.g. when they click a link to a different page, such as example.com/profile or example.com/schedule, they are redirected to the login page, and the PHPSESSID is renewed and the cookies no longer exist. However, when they once more open a new tab, the old PHPSESSID and cookies are back again, and they see a logged-in screen again.
Further more, if they don't CLICK to navigate to a different page, but if they enter the address manually (e.g. /schedule), they REMAIN logged in. So there is a difference between clicking a link and navigating to another subpage manually, which I can also not explain.
Thus, it is possible to have two different PHPSESSID for the same webpage in two different browser tabs. As a matter of fact, if the affected people log in again after they have been logged out, from then on the webapp behaves completely normal, and also NEW tabs aren't affected any longer. However, when closing the browser and reopening it, the cycle begins anew. The only thing that completely resets the situation and prevents the user being logged in again when opening a new browser window, is to manually delete all cookies via the Dev Tools.
I am absolutely baffled by this problem. It seems as if the browsers are somehow keeping a cached cookie/session somewhere for my domain/webapp, which is only loaded when a new browser window or tab is opened. This session is invalidated when the user clicks any link within the app, but not when they navigate by changing the address manually or refreshing the page, which seems super strange to me. Once this session/cookie is removed (for example by logging in for a 2nd time), the open tab will from then on behave normally.
Again: this problem only affects a small group of users in our company, and it only happens on their desktop/Windows account, so it has nothing to do with their account on my web application (because everything works fine if they login to the app on e.g. my desktop). Sharing the code on the webapps side thus doesn't seem relevant for the problem, but I can provide it if you have an idea as to why it may still be important. All I can say is I have a pretty normal webapp that sets a session when someone logs in (optionally with some "remember me" cookies) and unsets the session and the cookies again when they log out.
I am pretty much desperate at this point, so any ideas are more than welcome.
I will try to make a video recording of this process once I get access to one of the affected people's desktops and add that to this question, because I am fully aware that the text above is very long and probably very confusing.
Thanks a lot!
Edit: this is NOT related to Chrome's "Continue where you left off." or similar settings in Edge (if they even have that in Edge?). As a matter of fact, this setting is enforced by our company to load our Intranet's page when opening a browser, so no, this is not a duplicate. Neither is Chrome continuing to run in the background when you close the browser window.
