Asked  7 Months ago    Answers:  5   Viewed   22 times

I am to build a PHP application for a website that already has another PHP application running on the same domain/server. My app will of course be using sessions, and I don't want my sessions to interfere with the existing app. For example if I want to use $_SESSION['username'], maybe the other app also uses $_SESSION['username'], which could be a problem. I'm not looking for an extra layer of security, I trust the application I'm sharing the host with. I just want to avoid bugs.

One way would be to do something like $_SESSION['MY_APP_NAME']['username'], but I want to know if there is an easier way.

I see on the PHP documentation that there is a function called 'session_module_name'. The name sounds good, but the docs don't really explain what it is for.

Any advice?

 Answers

72

There is an easier way: session_name.

Prior to calling session_start(); call session_name("something"); (where you change something to whatever you want it to be called).

Wednesday, March 31, 2021
 
NaeiKinDus
answered 7 Months ago
24

The behavior you describe opposes the concept of a browser session. Why would a user want more than one session? Is it a matter of user access controls needing to be enforced? If so, assign users to logical groups and grant permissions to specific groups. Do users need to perform some action on behalf of other users? If so, design the website around that concept instead of trying to create multiple sessions for a single user.

If you really have to do this, you could do something horrible like pass along a query parameter (very insecure!) between pages to act as a session ID, bypassing the actual $_SESSION altogether and managing your own concept of a session. Again, this is not normal and will only lead to headaches/security issues in the future.

Wednesday, March 31, 2021
 
Kwadz
answered 7 Months ago
15

the php-memcached extension supports session locking

http://us3.php.net/memcached

http://us1.php.net/manual/en/memcached.sessions.php

the memcache and memcached extensions look syntactically similar so it may not be too much of a headache to give it a try. (memcached has a stable version 2.1.0 released 2012-08-07).


if you are set on using memcache 2.2.7 you will most likely have to implement the lock yourself by setting some "session_is_locked" variable in your session and then releasing/unsetting it when the script is done writing to the session. Then you'd always need to check if that variable is set before continuing with any scripts which write to the session.

Wednesday, March 31, 2021
 
penpen
answered 7 Months ago
95

You need to reset the $_SESSION value for timeout ($_SESSION['timeLogin']) when you execute redirection, otherwise when the client is back from redirect the value in session is the same and will be again redirected.

You could solve it with:

if(!isset($_SESSION['clientmacs']) ) {
    $_SESSION['clientmacs'] = ""; // add this line if not added somewhere else
    header('Location: index.php');
}

and

if(time() - $_SESSION['timeLogin'] > 1800) {
    $_SESSION['timeLogin'] = time(); // add this line
    header('Location: include/logout.php');
}

Maybe (depending on your logic) is better clear the entire session, and let it be reconfigured through the normal flow (session_destroy()) when you perform redirect.

Saturday, May 29, 2021
 
zIs
answered 5 Months ago
zIs
87

session_destroy() destroys the active session. If you do not initialized the session, there will be nothing to be destroyed.

Thursday, July 29, 2021
 
jab
answered 3 Months ago
jab
Only authorized users can answer the question. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :