How to ensure that a SESSION expires if the user accesses a copy of the application that is in another directory

Question

How to ensure that a SESSION expires if the user accesses a copy of the application that is in another directory

Asked 8 years, 4 months ago

Viewed 109 times

1

I have a php application where I use Sessions for login control. The application is in meusite.com/minhaapp (I will call App1) It turns out that for testing I created an instance of my application in another directory.

meusite.com/otherDir/minhaapp (I will call App2)

After I made this modification, I checked that once created an access and stored a SESSION, if the user accesses App1 and then change the url to access App2. The same SESSION remains active. Causing my login control to fail.

Would anyone have a hint to handle this? They would have to do some server environment variable check like HTTP_REFER?

1

It would be much better to separate the local "lodgings" to make life easier. Even pq this type of "organization" in folders usually does not organize things much if in the definitive hosting the application is staying at the root of the site (usually people use relative paths where it should be absolute precisely because of the folders). Two most obvious solutions for testing are "hosting" at different ports, or better yet, creating test Urls on the system’s "hosts" pointing to 127.0.0.1 (eg: app1.Runo and app2.).

– Bacco

2016/07/23 at 23:12

2 answers

2

Instead of changing the logic of the system, a simple solution is for you to change the name of cookie according to the folder, before of session_start().

In doing so, you have fully independent but simultaneous sessions:

 <?php
    // inicio do bloco de teste
    $independentes = array( 'app1', 'app2' );

    $caminho = explode( '/', $_SERVER['PATH_INFO'] );
    $appnumber = array_search( $caminho[1], $independentes );
    session_name( 'PHPSID_'.( $appnumber === false ? 0 : $appnumber + 1 ) );
    // fim do bloco de teste

    session_start();

Basically we are taking the second item of the path divided by the bars (the first is empty, because the PATH_INFO begins with /), locating his position in a array with the name of the folders, and adding their position to the name of the cookie session, making each situation have a fully independent session.

PS: If you are not using CGI or Apache, change the PATH_INFO for REQUEST_URI.

In case, it pays to create a include with the lines of the test block, and give a require_once() on your session pages. By doing this, you can test as many different folders as you want with independent sessions simultaneously. Simply put the root folder name of each application in place of app1 and app2 in the array.

Example:

aplicação 0 em   http://127.0.0.1/...
aplicação 1 em   http://127.0.0.1/teste_a/...
aplicação 2 em   http://127.0.0.1/teste_b/...
aplicação 3 em   http://127.0.0.1/teste_c/...

Setup:

$independentes = array( 'teste_a', 'teste_b', 'teste_c' );

Anything out of the way teste_a, teste_b and teste_c, or in paths that are not in the list, will be considered as part of the standard application (0).

Reusing in several pages:

To apply the solution on multiple pages, you can save this file as session_start.php, for example:

<?php
   $independentes = array( 'app1', 'app2' );

   $caminho = explode( '/', $_SERVER['PATH_INFO'] );
   $appnumber = array_search( $caminho[1], $independentes );
   session_name( 'PHPSID_'.( $appnumber === false ? 0 : $appnumber + 1 ) );

   session_start();

And simply use with require_once() in place of the session_start() original:

<?php
   require_once( 'session_start.php' );

   // ... resto do seu código  ... //

Browser other questions tagged php session

You are not signed in. Login or sign up in order to post.

by Inkeliz • **20,671** points · Answer 1 · 2016-07-23T23:02:37+00:00

About the HTTP_REFERER:

The HTTP_REFERER is extremely vulnerable in this case. Since it can be edited and erased peacefully on the client side, so don’t believe it, you can use the HTTP_REFERER as a complement, but not only him.

Note: If the user copies the link and opens a new page the Referer will cease to exist, only as complement there are plugins to delete Referer, for reasons of privacy.

Fix the problem:

Assuming there is one:

meusite.com/App1/index.php
meusite.com/App2/index.php
meusite.com/OutroDir/App3/index.php

The easiest way would be to compare whether the session has access to App desiring.

For example:

// Restringe acesso ao App1:
   $acesso = array('App1');    
   $_SESSION['acesso'] = $acesso;

// Restringe acesso ao App1 e App2:
   $acesso = array('App1', 'App2');    
   $_SESSION['acesso'] = $acesso;

This way determines that the user will have access only to App1 and in the other case the user would have access to App1 and also to App2.

That way, your apps (App1, App2 and App3) would have to verify whether or not the user is authorized to do so.

You can use something this way:

function VerificarSessao($FSession, $FApp){

   return in_array($FApp, $FSession);

}

So call for:

$Autorizado = VerificarSessao( $_SESSION['acesso'] , basename(__DIR__) );

if($Autorizado){
  echo 'Você pode acessar!";
}else{
  echo 'Você não pode acessar!";
}

This way you will check whether the directory (in the case /App1, /App2, /App3) is authorized in your session.

Note: I prefer to create the function requiring passing the two parameters to understand the operation more clearly, so it is extremely simple, but may put a header('location: /erro.php'); exit; inside the function instead of returning true/false, for example. Finally.