First let me explain the main, the sessions are global, if they are on the same server and domain then they can be accessed by different applications.
However, you can limit the folders that can access the session cookie by setting session_set_cookie_params
, something like:
setcookie(time() + 3600, '/sistema_a/'); //Somente acessivel na pasta sistema_a
session_start();
But of course this control is only in the cookie, it is still possible to get the values changing if you use the same session_id
.
Some details:
-
session_name
will only get the currently called session
- You can not read two sessions at the same time, you can even do some maneuvers in the code but it will not work as well or as practically.
-
session_regenerate_id
does not guarantee general security, but a place that can really be useful is against session hijacking, which has nothing to do with your problem
How does the session work?
When you use session_start
, a cookie will have a random code that will refer to a file in the /tmp
(or c:\caminho\para\o\php\temp
or c:\window\temp
in Windows Server) folder, that is, the data are in the back end, there's no way someone else steals them unless you as a developer have done something very wrong, an explanation of data exposure in the backend:
But talking about your applications again, if you are the creator of both or at least understand the structure of both sessions, what you can do is check if you are not already logged in and try to import the data by passing them to the desired format, for example:
-
System A, has session_name
called SYSTEM_A
and session format:
array(
'sys_a' => array(
'idUser' => '<id do usuario>',
'name' => '<nome do usuario>',
'update' => <ultima requisição HTTP atualiza esta chave>
)
)
-
System B, has session_name
called SISTEM_B
and session format:
array(
'sys_b' => array(
'id' => '<id do usuario>',
'user' => '<nome do usuario>',
'lastactive' => <ultima requisição HTTP atualiza esta chave>
)
)
They are similar, but they are not the same, so assuming you are logged in to system A and will open the system B , you could create a file and top of all called sync_from_sis_a.php
, like this:
<?php
require_once 'sync_from_sis_a.php';
The contents of sync_from_sis_a.php
would be:
<?php
session_name('SYSTEM_A');
session_start();
//Verifica se NÃO esta logado no B e se ESTA logado no A
if (empty($_SESSION['sys_b']['id']) && isset($_SESSION['sys_a']['idUser'])) {
$id = $_SESSION['sys_a']['idUser'];
$nome = $_SESSION['sys_a']['name'];
session_write_close(); //Finaliza o handle
session_name('SYSTEM_B'); //Agora no sistema B
session_start();
//Copia os dados da sessão anterior para a sessão do sistema B
$_SESSION['sys_b']['id'] = $id;
$_SESSION['sys_b']['user'] = $nome;
$_SESSION['sys_b']['lastactive'] = time();
}
If you are not logged in to system A then you will open system B normally by requesting a login.
The same should be done in system A, check if it is already logged in, so if you do not check if this is logged in B, then create a file named sync_from_sis_b.php
and include in the top of all system A , the file should look like this:
<?php
session_name('SYSTEM_B');
session_start();
//Verifica se NÃO esta logado no A e se ESTA logado no B
if (empty($_SESSION['sys_a']['idUser']) && isset($_SESSION['sys_b']['id'])) {
$id = $_SESSION['sys_b']['id'];
$nome = $_SESSION['sys_b']['user'];
session_write_close(); //Finaliza o handle
session_name('SYSTEM_A'); //Agora no sistema A
session_start();
//Copia os dados da sessão anterior para a sessão do sistema B
$_SESSION['sys_a']['idUser'] = $id;
$_SESSION['sys_a']['name'] = $nome;
$_SESSION['sys_b']['update'] = time();
}
Note: All this explained above is hypothetical, there is no way to know how your systems work, it may use encrypted session or it has a complex structure, there is no magic way to synchronize 2 systems different, even if you did not do it, the only solution is you understand both systems or that they provide APIs to facilitate this type of operation.
Answering the questions
When to use session_name ()?
When to use session_id ()?
Which is the safest?
In summary% with% even if you do not define it is generated like this, like session_name
, none of them have to be safely, each represents it in COOKIE sent in HTTP:
Set-Cookie: <NOME DA SESSÃO>=<ID DA SESSÃO>
So if you set up create in your PHP like this:
<?php
session_name('foo');
session_id('baz');
session_start();
echo 'Hello world!';
In HTTP the response will probably be similar to this:
HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Length: 12
Content-Type: text/html
Date: Wed, 10 Jan 2018 21:06:18 GMT
Keep-Alive: timeout=5, max=98
Set-Cookie: foo=baz; path=/
Hello world!
Then session_id
will be the name of the cookie and in the session_name
folder a file with the name ./tmp
will be generated, which is the same name as the ID.