My problem: Users are been logged into each others account without doing anything. For example, if I log into my account and start browsing, and a second user visits the site, if they login into their own account, and reload a few times they end up been in my account. This as you can see is a huge security flaw.
Furthermore, I've been having errors been logged,
PHP Warning: session_start(): open(tmp//sess_vfufois8rpg3p7l0fjet2p4e63, O_RDWR) failed: No such file or directory (2) in
My PHP sessions are been stored in tmp folder inside the root of the web server. I can't seem to find what's wrong? Any help would be greatly appreciated.
Here's the function for the processing logins,
function process_login() {
$username = "";
$password = "";
if (isset($_COOKIE['username']) and isset($_COOKIE['user_token'])) {
$username = $_COOKIE['username'];
$password = $_COOKIE['user_token'];
}
if (isset($_SESSION['username']) and isset($_SESSION['user_token'])) {
$username = $_SESSION['username'];
$password = $_SESSION['user_token'];
}
$query = db()->query("SELECT * FROM members WHERE id = ? AND password = ? ", $username, $password);
$result = $query->fetch(\PDO::FETCH_ASSOC);
if (!$result) return false;
app()->authId = $result['id'];
app()->authUser = $result;
save_login_data($result['id'], $result['password']);
return true; }