PHP sessions coinciding! One person able to open the website as another person without login

Question

I have a website with a login. The script was working for months now. but since a week We noticed when we opened the website it's already logged in by someone else.

Users Can't Log out too sometimes

This issue became very common now. It's happening all the time. Sometimes users aren't able to login. When they do they sometimes end up in the account of the previously logged in account.

We used php SESSIONS to implement login.

//Login

//Step 1 Facebook Login
//Step 2 Check db or add to db
//Step 3 below

$_SESSION['logouturl'] = $logouturl;
$_SESSION['loggedin'] = true;
$_SESSION['user_data'] = $user_data;
header("Location: $url");

Here is the logout script:

//logout
session_start();
session_destroy() ;
if(isset($_GET['redirect']) && !empty($_GET['redirect']))
{
    $url=$_GET["redirect"];
}
else {
    $url="http://www.website.com/";
}
header("location:$url");

I figured out this is some issue with the internal working of php sessions.

UPDATE : Thank you to everyone who helped!!

No, we did not find a solution to the problem. The customer was using a reseller hosting. maybe it's gotta do something with the configuration when one site affects the other one.

We set up a new hosting and installed the same script there. Everything is fine and life's good!

do you use php standard session id generator and session storing or do you override them with own implementation? — skyboyer, Apr 09 '18 at 07:32
_“I figured out this is some issue with the internal working of php sessions”_ - did you now …? How, explain? What debugging steps have you undertaken, and with what results? Seeing the comment `//After facebook login part` my guess would rather be that _that_ might be going wrong, especially with all the changes Facebook has made recently ... — CBroe, Apr 09 '18 at 07:33
@CBroe Yeah Even when I open the site in incognito mode I found someone's already logged in. By that I can conclude that it's not facebook login changes. The site has traffic. This is very rare and I've never seen something like this before. I really doubt wether there is some settings in php which will make sessions global or private. Or someting closely related to that — click_twice, Apr 09 '18 at 07:42
did you start the session before setting the session in login? and check all the session variable is set `print_r($_SESSION);` in the login script.. :) — Jees K Denny, Apr 09 '18 at 07:42
@JeesKDenny I'll try that. btw jees your name was striking. I'm not sure I should say this here or not. But we're from the same town — click_twice, Apr 09 '18 at 07:44
take a look into http://shiflett.org/blog/2011/php-session-debugging there are set of advises on how to debug things with sessions. I believe root cause is not related to your code. but with debugging you should figure out what exact is broken(and fix it or override with own version that works) — skyboyer, Apr 09 '18 at 07:47
its nice to hear @click_twice There is no issue with php internal working. — Jees K Denny, Apr 09 '18 at 07:49
`$_SESSION['loggedin'] = true;` - well you are logging everyone in here unconditionally, so ... (Of course I am joking here - but so must you, if you show such a code snippet and pretend it was an actual proper explanation of how your script works.) — CBroe, Apr 09 '18 at 07:49
@CBroe not joking.. that's a part of the real code. `$_SESSION['user_data']` contain enough data to be conditional. and `$_SESSION['loggedin'] = true;` comes only after the Facebook login has been successful and the person is added to db — click_twice, Apr 09 '18 at 08:00
So how would that code handle a _not_ successful Facebook login then? — CBroe, Apr 09 '18 at 08:04
If this helps: This a script used in multiple websites. It was made by me. I'm not entirely sure what this guys server differs in. — click_twice, Apr 09 '18 at 08:06
@CBroe if the login isn't successful then the script would've stopped in the previous lines using `exit;` . But that isn't a problem. the login part is a callback php file. Only called as a redirect from facebook after login. This website works only with facebook login. I told that the site appears to be logged in even in incognito without having the need to press the login button — click_twice, Apr 09 '18 at 08:09
what if your files with session data cannot be deleted due to access restrictions? this could explain while the issue occurs with higher frequency - the longer it goes the more ids generated match already existing files! take a look here: https://stackoverflow.com/questions/654310/cleanup-php-session-files — skyboyer, Apr 09 '18 at 11:06
@skyboyer Someone told me that sessions.lazy_write is off and that is causing the problem. Any Idea about this? and how can I change this? — click_twice, Apr 28 '18 at 10:21
`lazy_write` means if there were no changes in session data then nothing will be written(and also updating `last-access` timestamp for session file). it's about i/o and performance and not about "reuse existing session file without cleaning it out". this setting can be changed by editing php.ini configuration file(but I don't see how could it help in your case) — skyboyer, Apr 28 '18 at 10:35
@skyboyer Well, that's what the hosting guys said. They said that's the difference between the 2 packages. It's a reseller hosting running 2 websites with the same script. One works fine other does not — click_twice, Apr 28 '18 at 10:38

Klodian · Answer 1 · 2018-04-09T08:03:21.547

0

The best way is to generate a token when a user login in system , and store it in localstorage . take a look this link https://www.sitepoint.com/php-authorization-jwt-json-web-tokens/

edited Apr 09 '18 at 08:03

answered Apr 09 '18 at 07:57

Klodian

633
6
18

score -1 · Answer 2 · answered Apr 09 '18 at 07:34

-1

You should use session_start(); at login and session_destroy(); during logout.

answered Apr 09 '18 at 07:34

Gray

29
2

PHP sessions coinciding! One person able to open the website as another person without login

2 Answers2