How to create unique session per logged in user

Forum Moderators: coopster

Message Too Old, No Replies

How to create unique session per logged in user

dbarasuk

2:56 pm on Apr 8, 2011 (gmt 0)

Hi all,

I have a script creating a session variable of type $_SESSION['user'] = $row['username'] where $row['username'] is the username of a user who logs successfully in the system.

However, if another user logs in the system successfully in a subsequent phase, $_SESSION['user'] takes a new value corresponding to the newly logged in user. This is causing me problems because i am inserting the username(which is unique in the user table) to identify which user is inserting data in comments table. Because my application is on a network and the session is managed on the server, a user can insert someone's else username when he is sending data in the comments table because $_SESSION['user'] always takes on the last value of a logged in user. Please, WHo can tell me what to do in order to assign a different session variable to every user? This would help me to identify which user inserted which comment.

Thank you in advance for your help

eelixduppy

3:01 pm on Apr 8, 2011 (gmt 0)

$_SESSION['user']

should not be taking the last value. Sessions are created and destroyed by the web browser on the server. As long as two different browsers on two separate computers log in to your service then the

$_SESSION['user']

variable should hold their respective usernames.

Of course, this is all assuming that you are properly initializing the session variable to begin with. You have to make sure that

$row['username']

is the correct username you are authenticating.

dbarasuk

3:41 pm on Apr 8, 2011 (gmt 0)

If i get you well this is what you mean:
if user1 logs in on computer A with username "hello",
$_SESSION['user']=="hello" and in the database table username is going to be "hello"(assuming his username is being sent). If user2 on computer B logs in with username "world" $_SESSION['user'] == "world". So if user1 on computer A sends his data on the database he is sending "hello"(his personnal username) instead of "world"? Is this what you mean?

Thanks again.

eelixduppy

5:24 pm on Apr 12, 2011 (gmt 0)

The web server keeps track of which user is who with the sessions. Unless your website is specially a target of session hijacking attacks these session variables will be unique to each user that visits your website, assuming you are programming everything logically correct.