Sessions and browser's tabs
May you have noticed when you open your website in two or
more tabs in Firefox, Opera, IE 7.0 or use 'Control+N' in IE
6.0 to open a new window, it is using the same cookie or is
passing the same session id, so the another tab is just a
copy of the previous tab. What you do in one will affect the
another and vice-versa. Even if you open Firefox again, it
will use the same cookie of the previous session. But that
is not what you need mostly of time, specially when you want
to copy information from one place to another in your web
application. This occurs because the default session name is
"PHPSESSID" and all tabs will use it. There is a
workaround and it rely only on changing the session's name.
Put these lines in the top of your main script (the script
that call the subscripts) or on top of each script you
have:
if(version_compare(phpversion(),'4.3.0')>=0) {
if(!ereg('^SESS[0-9]+$',$_REQUEST['SESSION_NAME'])) {
$_REQUEST['SESSION_NAME']='SESS'.uniqid('');
}
output_add_rewrite_var('SESSION_NAME',$_REQUEST['SESSION_NA
ME']);
session_name($_REQUEST['SESSION_NAME']);
}
How it works:
First we compare if the PHP version is at least 4.3.0 (the
function output_add_rewrite_var() is not available before
this release).
After we check if the SESSION_NAME element in $_REQUEST
array is a valid string in the format
"SESSIONxxxxx", where xxxxx is an unique id,
generated by the script. If SESSION_NAME is not valid (ie.
not set yet), we set a value to it.
uniqid('') will generate an unique id for a new session
name. It don't need to be too strong like
uniqid(rand(),TRUE), because all security rely in the
session id, not in the session name. We only need here a
different id for each session we open. Even getmypid() is
enough to be used for this, but I don't know if this may
post a treat to the web server. I don't think so.
output_add_rewrite_var() will add automatically a pair of
'SESSION_NAME=SESSxxxxx' to each link and web form in your
website. But to work properly, you will need to add it
manually to any header('location') and Javascript code you
have, like this:
header('location:
script.php?'.session_name().'='.session_id()
. '&SESSION_NAME='.session_name());
<input type="image" src="button.gif"
onClick="javascript:open_popup('script.php?<?php
echo session_name(); ?>=<?php echo session_id();
?>&SESSION_NAME=<?php echo session_name();
?>')" />
The last function, session_name() will define the name of
the actual session that the script will use.
So, every link, form, header() and Javascript code will
forward the SESSION_NAME value to the next script and it
will know which is the session it must use. If none is
given, it will generate a new one (and so, create a new
session to a new tab).
May you are asking why not use a cookie to pass the
SESSION_NAME along with the session id instead. Well, the
problem with cookie is that all tabs will share the same
cookie to do it, and the sessions will mix anyway. Cookies
will work partially if you set them in different paths and
each cookie will be available in their own directories. But
this will not make sessions in each tab completly separated
from each other. Passing the session name through URL via
GET and POST is the best way, I think.
----
Server IP: 200.185.109.13
Probable Submitter: 200.155.8.242 (proxied: 1.1
firewall.office.worldweb.com.br:3128 (squid))
----
Manual Page -- http://w
ww.php.net/manual/en/ref.session.php
Edit -- https://master
.php.net/note/edit/74557
Del: integrated -- h
ttps://master.php.net/note/delete/74557/integrated
Del: useless -- http
s://master.php.net/note/delete/74557/useless
Del: bad code -- htt
ps://master.php.net/note/delete/74557/bad+code
Del: spam -- https:/
/master.php.net/note/delete/74557/spam
Del: non-english --
https://master.php.net/note/delete/74557/non-english
Del: in docs -- http
s://master.php.net/note/delete/74557/in+docs
Del: other reasons-- https://mast
er.php.net/note/delete/74557
Reject -- https://mast
er.php.net/note/reject/74557
Search -- https://
master.php.net/manage/user-notes.php
--
PHP Notes Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub
.php
|