I managed to get sessions working with PHP, however, the sessions are merging/mixing. If one user logs in and visits a certain page, and then a new user visits that same page, they will jump on to the first user's session.
My code is as follows:
session_start();
session_id();
$rainbow = mysqli_query($db, "SELECT * FROM Users WHERE ID='" . $client->ID . "'");
$rainbow = mysqli_fetch_object($rainbow);
$_SESSION['Username'] = $rainbow->Username;
$_SESSION['Password'] = $rainbow->Password;
Every time a page is loaded, session_start() is called. I'm also using session_id() so I'm not sure why the sessions are merging.
This is becoming a large security problem.
Additionally, pages seem to be caching along with this issue, but it doesn't seem to be a session issue caused by caching. If you refresh the page, you will be placed back in your correct session and the page will be updated, otherwise, it will not.
You suppose your problem is that sessions are merged, but you misunderstand the situation. The sessions work correctly, but you save the same username and password as session variables.
You are using a variable called $client. You get a member from it, called ID. I am sure that you have a problem in initializing $client. Make sure that you initialize $client correctly, it has the correct ID for each session and that there is no potential for SQL injection.
Try something like this!
if($password === $password_from_database) {
$_SESSION['email'] = $email;
$_SESSION['okayToken'] = openssl_random_pseudo_bytes(40, "^!hknvkisQwf@#$m);
$_SESSION['loginTime'] = time();
}
Use the $_SESSION['okayToken'] for session tracking purposes!
Never pass passwords to sessions. Not even the password hashes.
I have fixed the problem and for now, it's working. At a later time it'll need to be more unique though.
For now, I've given sessions a key which is simply the current UNIX timestamp.
This seems to be keeping the sessions unique, but as I said, it'll need to be more randomized in the future in case two users have the same timestamp, which would bring me back to the merging issue where the session is being confused.