How to ensure that a SESSION expires if the user accesses a copy of the application that is in another directory

1

I have an application in php where I use sessions to control the login. The application is in myite.com/minhaApp (I'll call App1) It happens that for testing I've created an instance of my application in another directory.

mysite / otherDir / minApp (I'll call App2)

After I made this modification, I checked that once I created an access and stored a SESSION, if the user access App1 and then change the url to access App2. The same SESSION remains active. Making my login control fail.

Would anyone have a clue to deal with this? Would I have to do some server environment variable checking as HTTP_REFERER?

    
asked by anonymous 24.07.2016 / 00:30

2 answers

2

Instead of changing system logic, a simple solution is to rename the cookie session according to the folder, before of session_start() .

In doing so, you have fully independent but simultaneous sessions:

 <?php
    // inicio do bloco de teste
    $independentes = array( 'app1', 'app2' );

    $caminho = explode( '/', $_SERVER['PATH_INFO'] );
    $appnumber = array_search( $caminho[1], $independentes );
    session_name( 'PHPSID_'.( $appnumber === false ? 0 : $appnumber + 1 ) );
    // fim do bloco de teste

    session_start();

Basically, we are picking up the second item in the path divided by the slashes (the first one is empty, since PATH_INFO starts with / ), locating its position in array with the name of the folders , and adding their position to the session cookie name, making each situation a fully separate session.

PS: If you are not using CGI or Apache, switch PATH_INFO to REQUEST_URI .

In this case, make sure to create an include with the lines of the test block, and give a require_once() on your pages that use session. By doing this, you can test how many different folders you want with independent sessions simultaneously. Just put the root folder name of each application instead of app1 and app2 in the array.

Example:

aplicação 0 em   http://127.0.0.1/...
aplicação 1 em   http://127.0.0.1/teste_a/...
aplicação 2 em   http://127.0.0.1/teste_b/...
aplicação 3 em   http://127.0.0.1/teste_c/...

Configuration:

$independentes = array( 'teste_a', 'teste_b', 'teste_c' );

Anything outside the teste_a , teste_b , and teste_c paths, or paths that are not in the list, will be considered as part of the default application ( 0 ).


Reusing on several pages:

To apply the solution on multiple pages, you can save this file as session_start.php, for example:

<?php
   $independentes = array( 'app1', 'app2' );

   $caminho = explode( '/', $_SERVER['PATH_INFO'] );
   $appnumber = array_search( $caminho[1], $independentes );
   session_name( 'PHPSID_'.( $appnumber === false ? 0 : $appnumber + 1 ) );

   session_start();

And simply use with require_once() on all pages instead of% original_with:

<?php
   require_once( 'session_start.php' );

   // ... resto do seu código  ... //
    
24.07.2016 / 01:30
1

About HTTP_REFERER :

HTTP_REFERER is extremely vulnerable in this case. Since it can be edited and deleted quietly on the client side, so do not believe it, you can use HTTP_REFERER as a complement, but not just it.

  

Note: If you copy the link and open a new page, the Referer will no longer exist, just as a complement there are plugins to remove Referer , for privacy reasons.

Problem Fix:

Assuming there is:

meusite.com/App1/index.php
meusite.com/App2/index.php
meusite.com/OutroDir/App3/index.php

The easiest way would be to compare if the session has access to the App you want.

For example:

// Restringe acesso ao App1:
   $acesso = array('App1');    
   $_SESSION['acesso'] = $acesso;

// Restringe acesso ao App1 e App2:
   $acesso = array('App1', 'App2');    
   $_SESSION['acesso'] = $acesso;

In this way it determines that the user will only have access to App1 and in the other case the user would have access to App1 and App2 as well.

In this way, your applications ( App1 , App2 and App3 ) would have to check whether the user is authorized to do so.

You can use something like this:

function VerificarSessao($FSession, $FApp){

   return in_array($FApp, $FSession);

}

Then call for:

$Autorizado = VerificarSessao( $_SESSION['acesso'] , basename(__DIR__) );

if($Autorizado){
  echo 'Você pode acessar!";
}else{
  echo 'Você não pode acessar!";
}

This way you will check if the directory (in the case of / App1, / App2, / App3) is authorized in your session.

  

Note: I prefer to create the function by requiring you to pass the two parameters to understand the operation more clearly, so it is extremely simple, but you can put a header('location: /erro.php'); exit; inside the function instead of returning true / false , for example. Anyway.

    
24.07.2016 / 01:02