User A goes to User B's account at log-in

Forum Moderators: coopster

Message Too Old, No Replies

User A goes to User B's account at log-in

Both users on the same computer

weeks

7:21 pm on Sep 30, 2008 (gmt 0)

User A and and User B both love our PHP web site. They share a computer. User A signs in, does his thing, then User B comes along, enters her user name and password and finds herself in User A's account. Signs off, signs back in and it's correct.

No, it not from browser auto-fill. (I don't think.) No, it doesn't do it every time.

Anyone had a bug like this?

grallis

10:15 pm on Sep 30, 2008 (gmt 0)

Did you write the login script or did someone else?

weeks

1:02 am on Oct 1, 2008 (gmt 0)

Ah, not me. And not even the coders we have working on it now. It was from the prototype we built, which worked fine (we thought) until we found this bug after we went into production. The login script? Hmmm. I figured it was the cookies. Any idea what's wrong here?

grallis

1:40 am on Oct 1, 2008 (gmt 0)

Quickly I can think of two things off the top of my head -

Either for some strange reason the login script may be written so that if it finds values in the $_SESSION array, it does not write the new values to it.

A possible solution would be to call the logout script that you use at the very start of the user login validation - this would clear any current sessions, and allow a brand new fresh session to start, though I recommend getting someone to write a new login script if possible.

weeks

1:34 pm on Oct 1, 2008 (gmt 0)

I recommend getting someone to write a new login script if possible.

I think that's wise, because it appears to be connected to when the cookies are written at sign up. We haven't tested this yet, but we suspect that this happens only when a new user joins. The signup script doesn't write new values as early as it should.

This was very helpful. Thanks grallis!

weeks

9:08 pm on Oct 1, 2008 (gmt 0)

More details for the mystery.

Same as above, but also we have this:

Situation 2: With another account on the same computer, a another user signs up. Comes to the home page after signing in, their name does not appear as it should on their account home page. When they refresh or do about anything else, they are sent to the outside home page and shown the "wrong password" error message. When our new user signs in again, however, the name are where they should be on the user's home page and all works as it should.

Anyone can play.

TheAlbinoEthiopian

11:31 pm on Oct 1, 2008 (gmt 0)

If the log-in script stores the session with the IP address rather than storing a cookie it would do this, but I don't know why anyone would write it like that.

grallis

1:17 am on Oct 2, 2008 (gmt 0)

I highly suggest getting the login portion of your site redone. It very well may be possible to rewrite just that portion with few edits to other areas of your site.

weeks

12:15 pm on Oct 2, 2008 (gmt 0)

Yeah, reading what this guy Weeks wrote, it's pretty clear that grallis is right. Time to open up the hood and pull out the wrenches.

grallis

10:36 pm on Oct 2, 2008 (gmt 0)

Good luck with the session handling :)

Anyango

5:58 am on Oct 3, 2008 (gmt 0)

i don't think writing new script is needed, simply put session_destroy() in your login page before starting the session to store user's session information.

session_start();
session_destroy();
session_start();

See if you don't find the bug itself and fix it then you might encounter it again someday and still not be sure what to do. So i would fix this one first and then think about another one if needed.

weeks

1:23 pm on Oct 3, 2008 (gmt 0)

OK, Anyanyo, I'll check that out as a possible simple fix. I'll report back next week with what we did.