Incorrect variable information sent in PHP sessions

Question

Here is what I currently have:

PHP

$var1=$_GET['some_val1']
$var2=$_GET['some_val2']

$_SESSION["x"]=$var1;
$_SESSION["y"]=$var2;

header("Refresh: 180; http://some_ip/some_page.php");

This works well in a single user setting.

However If I have multiple users sending values simultaneously. The values sent by user2 are used for both user 1 and user 2 after redirection.

I am not sure what exactly causing the problem and hence framing is a little vague. I will explain with an example:

**User 1**

$var1=$_GET['some_val1'] << hello
$var2=$_GET['some_val2'] << world

echo $var1, $var2 
hello world  << Correct
**User 2**

$var1=$_GET['some_val1'] << HI
$var2=$_GET['some_val2'] << ALL

echo $var1, $var2 
HI ALL  << Correct

**on some_page.php**

**USER 1**

echo $var1, $var2
HI ALL << incorrect 

**User 2**
echo $var1, $var2
HI ALL << correct 

Why are the values not correctly sent across sessions How does PHP handle multiple users at once ?

Answer 1

From Comments:

How do you define "different users"; are they different tabs on the same browser? different browsers on the same machine? Completely different devices?

---

Yes i am emulating different users by multiple tabs on my browser.

---

Sessions are stored in the browser, not the tab. If you want to test multiple users, either use different browsers (i.e. one in Chrome, one in Firefox), or test one in Privacy mode.

-- aynber

This is the cause of your inconsistency issues. In Addition:

SESSIONS are stored until either unset or browser is exited. So if multiple users use the same browser without restarting it and you are not unsetting the SESSION variable once the required process is completed, you will face this issue. It is always a good practice to UNSET the SESSIONS once the process is completed.

-- Mohammed Akhtar Zuberi