phpsessioncross-browserspotifyfat-free-framework

(Spotify) how to stop cross browser session sharing?


I'm using the spotify api and for some reason their session class blocks to store own data in $_SESSION. As a workaround I wrote a class 'SystemHelper':

namespace App;

    class SystemHelper
    {

        /**
         * if session_id is empty string, then session_id has not been initialized
         * then set session_id named 'session1'
         * start session needs 2 parameters, name and value
         * always close session after writing
         *
         * @param   string  $name   any given name
         * @param   [type]  $value  any given value
         *
         */
        public static function customSessionStore($name, $value)
        {
    
            if (session_id() == '') {
                session_id('session1');
            }
            session_start();
            $_SESSION[$name] = $value;
            session_write_close();
        }

It is possible now to store data in $_SESSION but the problem is that as long as I'm logged in with my account (own login form, not spotfiy account), everybody else is logged in, no matter which browser, ip, etc...

I don't know how this can be solved. Shouldn't session_id generate a random id? Anybody can help please?

Leaving out

            if (session_id() == '') {
                session_id('session1');
            }

doesn't solve it because I need to read and delete the data stored in session as well. So, additionally I have in this workaround:

    public static function customSessionRead($name)
        {

            if (session_id() == '') {
                session_id('session1');
            }
            session_start();
            session_write_close();

            return $_SESSION[$name];
        }

and...

    public static function customSessionDestroy()
        {
            session_start();
            session_destroy();
        }

Solution

  • Solved, actually pretty simple. The problem first: If written like this:

        session_id('session1');
    

    in both, customStore and customRead simply means resuming the session. Of course you will always get the same data, no matter which browser, ip, ... that's the point of resuming the session.

    What is solved:

        session_create_id($name);
    

    So, the full again:

    public static function customSessionStore($name, $value)
    {
        // if (session_id() == '') {
        //     session_id('session1');
        // }
        session_create_id($name);
        session_start();
        $_SESSION[$name] = $value;
        session_write_close();
    }
    

    and,

    public static function customSessionRead($name)
    {
        // if (session_id() == '') {
        //     session_id('session1');
        // }
        session_start();
        session_write_close();
        return $_SESSION[$name];
    }