question about php login sessions across multiple browser instances.

One way would be to create a different session key for each login. An example, you're currently just checking if it's set.

if ($_SESSION and isset($_SESSION['Login'])) {

Instead of just checking if it's set, you'd need to look for different keys.

$login_levels = array('member','manager','administrator');

$_SESSION['member'] = $userid;

or

$_SESSION['manager'] = $userid;

or

$_SESSION['administrator'] = $userid;

How you'd "limit" each logged in instance is another puzzle entirely. All three session values will be available to each instance in the same browser because they are tied to the same session ID by the same PHPSESSID cookie, how do you separate them?

The only method that comes to mind is to locate something actually in the page or links for each browsing instance that tracks this.

<input type="hidden" name="level_index" value="0"> <!-- 0 for member, 1 for manager, 2 for administrator -->

view-members.php?level_index=0

This would require more validation checks to avoid being hacked, for example, on every page view you'd have to check that the user has permissions for that "level."

Nothing else comes to mind at the moment (except using different browsers. :-) )

While i haven't fully absorbed your response yet, the ability to log into different accounts using multiple browser instances from a single workstation would be used by a single person logging into say two or three different member accounts in order to view and access those member's data without having to log off one account and log into another through out the day. The idea is not to necessarily log into different user account levels such as manager or admin.

1. Does your concept of creating a different session key for each login make any difference in this case?

2. Am i correct in that it seems that what i'm asking for is not typical?

OK then, instead of the different keys you'd store the user id or some other handle in the page. You'd probably have to create new keys though so they don't overwrite each other.

$_SESSION['Login'] = 123456; // first userid
$_SESSION['Login2'] = 123457; // second userid


<input type="hidden" name="this_user" value="123456">
or
<input type="hidden" name="this_user" value="123457">

Yeah it doesn't seem like I've seen this much.

another instance of the same browser

The first fallacy is that the browser creates another instance, it doesn't. It's just one browser instance with multiple windows which is what makes what you want to do a real pain because it's the same cookie tracking the same session no matter how many windows you have open.

You would have to create a login key which would be unique per tab or window to do what you want. This key would have to be included on all links and forms on all pages displayed for that login. The odds of the browser getting it mixed up because of caching and other issues isn't trivial. To get down to implementation basics, we're talking about tracking an array of logins in a single session, not impossible but not clever IMO as it creates a big potential security risk.


It's just easier to use multiple browsers. Then it's no extra work as each browser has a completely unique login per browser.