PHP session is shared with different users

Question

I am new to php and i am trying to store a session data(which i create in my application) object using _SESSION['SESSION_DATA'] = $sessionData. When a user logs into my application, I try to retrieve the session data object from session, if the object is initialized, then i assume the user has already logged in and use the data from the session. If the object is not set, we determine the user is logging in and try to create a session data object and put it in session.

When I login with with the first user id, the application is working fine. But when i login with a different user id at the same time, in my login action, I see the session data object is retrieved from the session which belongs to the first user.

Can someone advice how to handle this problem. We are using zend Framework. Is there anything in zend to handle this case implicitly.

Answer 1

You should use Zend_Auth for authentication. More about it you can read here: manual.zfdes.com/de/zend.auth.html

This is how I used Zend_Auth:

        $auth = Zend_Auth::getInstance();
        $authAdapter = new Altergear_Seolista_UserLoginAuthAdapter(
            $loginForm->getLogin(),
            $loginForm->getPassword()
        );

        $result = $auth->authenticate($authAdapter);

The Authentication Adapter returns a new Zend_Auth_Result with a new identity. For those I use the stdClass Object. It will replace the old Identity.

Here is my adapter as an example

<?php

use Doctrine\ORM\EntityManager; class Altergear_MyApp_UserLoginAuthAdapter implements Zend_Auth_Adapter_Interface { /** * The login * @var string $_login */ private $_login;

/**
 * The user password
 * @var string $_password
 */
private $_password;

/**
 * The Doctrine EntityManager
 * @var EntityManager $_em
 */
private $_em;
public function __construct( $email, $password )
{
    $registry = Zend_Registry::getInstance();
    $this->_em = $registry->entitymanager;

    $this->_login = $email;
    $this->_password = $password;
}

/**
 * Executes an authentication try
 *
 * @throws Zend_Auth_Adapter_Exception if the authentication failed
 * @return Zend_Auth_Result
 */
public function authenticate()
{
        //check if login is correct
        try{
            $user = $this->_em->getRepository('App_Model_User')
                ->findOneBy(
                    array(
                        '_email' => $this->_login,
                        '_password' => App_Model_User::encodePassword( $this->_password )
                    )
            );
        }catch( Exception $e ){
            throw new Zend_Auth_Adapter_Exception( 'authentication failed', 0, $e );            
        }

        if( $user!==null && $user instanceof App_Model_User && $user->getId() > 0 )
        {
            //login successful

            $identity = new stdClass();
            $identity->user = $user;


            return new Zend_Auth_Result( Zend_Auth_Result::SUCCESS , $identity );
        }else{
            //login failed
            return new Zend_Auth_Result( Zend_Auth_Result::FAILURE, NULL, array('Bitte geben Sie gültige Logindaten an.') );
        }

On top you can work with Zend_Acl I recommend you a Zend_Controller Plugin for managing the access to your controllers and actions.

Answer 2

I assume you mean login with another user using same browser on same computer while another user is logged in already? If so I dont think you can separate it as session is a browser session.