Sessions from different systems on the same server

2

Scenario (example)

I have 2 systems:

  • Bakery System
  • Posto System

Details

  • The database is separate , then each system with its users and passwords.
  • There is "regular user" between the 2 (eg john.silva)

Problems

If I do not use a different session_name() for each system, if I am logged in with "joao.silva" in the bakery system, and enter the system post, it will enter directly, as if it had authenticated.

Questions

  • When to use session_name() ?
  • When to use session_id() ?
  • What is the most seguro ?
  • Something more important in this context?

PS: I appreciate good links to study. Please avoid being searched on Google without even checking if the content is complete and currently used.

    
asked by anonymous 10.01.2018 / 11:52

2 answers

4

First let me explain the main, the sessions are global, if they are on the same server and domain then they can be accessed by different applications.

However, you can limit the folders that can access the session cookie by setting session_set_cookie_params , something like:

 setcookie(time() + 3600, '/sistema_a/'); //Somente acessivel na pasta sistema_a
 session_start();

But of course this control is only in the cookie, it is still possible to get the values changing if you use the same session_id .

Some details:

  • session_name will only get the currently called session
  • You can not read two sessions at the same time, you can even do some maneuvers in the code but it will not work as well or as practically.
  • session_regenerate_id does not guarantee general security, but a place that can really be useful is against session hijacking, which has nothing to do with your problem

How does the session work?

When you use session_start , a cookie will have a random code that will refer to a file in the /tmp (or c:\caminho\para\o\php\temp or c:\window\temp in Windows Server) folder, that is, the data are in the back end, there's no way someone else steals them unless you as a developer have done something very wrong, an explanation of data exposure in the backend:

But talking about your applications again, if you are the creator of both or at least understand the structure of both sessions, what you can do is check if you are not already logged in and try to import the data by passing them to the desired format, for example:

  • System A, has session_name called SYSTEM_A and session format:

    array(
       'sys_a' => array(
             'idUser' => '<id do usuario>',
             'name' => '<nome do usuario>',
             'update' => <ultima requisição HTTP atualiza esta chave>
       )
    )
    
  • System B, has session_name called SISTEM_B and session format:

    array(
       'sys_b' => array(
             'id' => '<id do usuario>',
             'user' => '<nome do usuario>',
             'lastactive' => <ultima requisição HTTP atualiza esta chave>
       )
    )
    

They are similar, but they are not the same, so assuming you are logged in to system A and will open the system B , you could create a file and top of all called sync_from_sis_a.php , like this:

<?php

require_once 'sync_from_sis_a.php';

The contents of sync_from_sis_a.php would be:

<?php
session_name('SYSTEM_A');
session_start();

//Verifica se NÃO esta logado no B e se ESTA logado no A
if (empty($_SESSION['sys_b']['id']) && isset($_SESSION['sys_a']['idUser'])) {
   $id = $_SESSION['sys_a']['idUser'];
   $nome = $_SESSION['sys_a']['name'];

   session_write_close(); //Finaliza o handle

   session_name('SYSTEM_B'); //Agora no sistema B
   session_start();

   //Copia os dados da sessão anterior para a sessão do sistema B
   $_SESSION['sys_b']['id'] = $id;
   $_SESSION['sys_b']['user'] = $nome;
   $_SESSION['sys_b']['lastactive'] = time();
}

If you are not logged in to system A then you will open system B normally by requesting a login.

The same should be done in system A, check if it is already logged in, so if you do not check if this is logged in B, then create a file named sync_from_sis_b.php and include in the top of all system A , the file should look like this:

<?php
session_name('SYSTEM_B');
session_start();

//Verifica se NÃO esta logado no A e se ESTA logado no B
if (empty($_SESSION['sys_a']['idUser']) && isset($_SESSION['sys_b']['id'])) {
   $id = $_SESSION['sys_b']['id'];
   $nome = $_SESSION['sys_b']['user'];

   session_write_close(); //Finaliza o handle

   session_name('SYSTEM_A'); //Agora no sistema A
   session_start();

   //Copia os dados da sessão anterior para a sessão do sistema B
   $_SESSION['sys_a']['idUser'] = $id;
   $_SESSION['sys_a']['name'] = $nome;
   $_SESSION['sys_b']['update'] = time();
}

Note: All this explained above is hypothetical, there is no way to know how your systems work, it may use encrypted session or it has a complex structure, there is no magic way to synchronize 2 systems different, even if you did not do it, the only solution is you understand both systems or that they provide APIs to facilitate this type of operation.

Answering the questions

  

When to use session_name ()?

     

When to use session_id ()?

     

Which is the safest?

In summary% with% even if you do not define it is generated like this, like session_name , none of them have to be safely, each represents it in COOKIE sent in HTTP:

Set-Cookie: <NOME DA SESSÃO>=<ID DA SESSÃO>

So if you set up create in your PHP like this:

<?php
session_name('foo');
session_id('baz');
session_start();

echo 'Hello world!';

In HTTP the response will probably be similar to this:

HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Length: 12
Content-Type: text/html
Date: Wed, 10 Jan 2018 21:06:18 GMT
Keep-Alive: timeout=5, max=98
Set-Cookie: foo=baz; path=/

Hello world!

Then session_id will be the name of the cookie and in the session_name folder a file with the name ./tmp will be generated, which is the same name as the ID.

    
10.01.2018 / 17:12
2

First a session is a superglobal variable in array form, where you store data for a certain time.

According to official documentation for session_id() :

  

session_id () is used to get or set the session id for the   current session.

And for session_name()

  

session_name - Gets and / or sets the current session name

The difference of the two is in its purpose and a little in its operation, session_id is defined once before starting the session, and you will NOT need to call the method every time you need to use a session data, most of the session security comes from the session_regenerate_id function, and by calling this method, you will generate a new session ID without losing the data, but you will not be able to naturally identify what each session is, this is very useful for open sessions by a long time, because even if the identification is captured your identification will be modified during use.

To identify multiple sessions on the same server, the most feasible is to use a session name, as this name will not interfere with your identifier and you can call any of the pre-defined open sessions anywhere and still remain to regenerate the identifiers for the session.

References:

Basic Usage

Session ID

Session Regenerate ID

Session Name

    
10.01.2018 / 15:40