CODEWITHSUNDEEP
phpsession
Banana
Banana

Reputation: 824

SessionIDs are not unique in PHP

I'm learning on how to do session management on PHP and trying to allow only one login session by using session_id() to generate login session hash, but it seems that something is wrong, because each time i call out session_id() i will be returned the same hash 0b055b4f53310060d84535ee8e3bf663. I tried logging in with multiple users, it's returning same hash for each login session and for each user.

//Login.php:
session_start(); // Starting Session
//Take inputs, do user query
if (queryResultRows == 1){
    $_SESSION['userid']=$userinfo["uid"];
    $_SESSION['userlevel']=$userinfo["userlevel"];
    $_SESSION['login_user']=$username; // Initializing Session
    $sessionid = session_id();
    //Insert sessionId into DB..
    //Redirect to next page.
}
//Logout.php:
session_start();
if(session_destroy()) // Destroying All Sessions
{
    header("Location: index.php"); // Redirecting To Home Page
}

Now i tried to do login, i successfully had access to all session restricted areas on my page (session was created and is working) then initated logout.php, the session was destroyed, i had no longer access, did login again, but the session_id() value was still the same. Any ideas what i'm doing wrong here?

Upvotes: 0

Views: 124

Answers (1)

Caligone
Caligone

Reputation: 180

session_destroy() only delete the data of the session and don't delete the attached cookie.

session_destroy() destroys all of the data associated with the current session. In order to kill the session altogether, the session ID must also be unset. If a cookie is used to propagate the session ID (default behavior), then the session cookie must be deleted. setcookie() may be used for that.

Documentation

You can also regenerate a new session_id with session_regenerate_id

More information about PHP sessions and cookies

Upvotes: 1

Related Questions