two sessions on the same browser

[eluser]Ajaxian64[/eluser]
Hi All,

I develop a website on which it is possible to login with 2 roles (role1 and role2)
Then I use CI session and I log with role1 => OK
I tri also (whereas the role1 session is still active) to log with role2 (in another tab...)

Then I come to role1 unavailable.
----
I have thought that it may come from the fact that I used the same name for session (in fact in CI I do not see session's name, I pass only data array in which I put my session data)

For role1 and role2 I use :

Code:

$user = array('user_id'=>$id,'email'=>$email,'role'=>$role, ....);
$this->session->set_userdata($user);// plus extra item for role2

Is it something "standard" with session or is there a misconception in my code ?
Is there a way to bypass this a getting two different sessions in two different tabs on the SAME browser...
Thanks

[eluser]WanWizard[/eluser]
A browser (instance) only has one cookie store, so all windows you open use the same cookies, and therefore the same session. So you can't login twice. If you want to be logged in simultaneously, you need to use two different browsers.

Although it's more logical to assign both roles to the same user. What's the point of logging in twice?

[eluser]Ajaxian64[/eluser]
It was just to test the application. I logged myself with a role on a browser tab and another role on another tab of the same browser.
In the application a user may have the 2 roles. Nothing says that he will not use two tab of the same browser to use the application with 2 different roles.
---
Just a question:
with role 1 the user may pay something with its credit card, then imagine:
he pays, then he switches to another browser tab in which he loggs to the role 2. By doing this the first session of the role 1 is "destroyed".
Then, the bank information which is sent (role1) to said that is payment is ok would produce bad result because of session1 not presents.
Could this scenario really appear and is there a bypass ?
Thanks for your reply

[eluser]WanWizard[/eluser]
If you open a second tab and load the application, you'll be logged in there as well. So to be able to login with a second role, you should logout first.

[eluser]Unknown[/eluser]
And if he use a new userdata at the same cookie do validate diferent roles?

Like that:

logged_in_role_1 = TRUE;
logged_in_role_2 = FALSE;

I'm new at CI and deparate myself with the same problem. I was using PHP sessions to users loggin and to store the active magazine that the user is reading at the moment. So I used session name to distinguish this two diferent sessions. But, with CI session class there is no way to do that.
Now I'm using CI session class to the login and the native PHP session to store de magazine data (wich is only the database id of the magazine). That method work fine for my application.

[eluser]pbreit[/eluser]
With cookie-based session management, a browser can only support one session at a time. This works for the vast majority of web sites. To support multiple sessions in one browser, you'd need to use URL-based session management which is tricky and error-prone.

If you need to log in as two separate users or roles, use two browsers or the "private browsing" feature of IE8, Firefox, Chrome and Safari.

[eluser]WanWizard[/eluser]
From a security point of view, this is a useless excercise as well.

If a person is authorized to perform the tasks assigned to role_1 and role_2, these roles should be defined in the system, and both assigned to the user. Why force the user to logout and login, or to login twice, if the user is clearly authorized?

The only reason this somtimes happens is if you need a clear demarcation between the two roles.

I've written an application for the department of education, to administer student subsidy requests. The employees using the system can login with a parent role (in which case they see their own children and apply for a subsidy), or with an admin role, in which case they can approve or disapprove subsidy requests. The client wanted it to be very clear in which role they were operating when approving their own subsidy requests (so the employee makes a concious decision when he does that).

You can do this easily within the same session, by asking the desired role on the login screen, and store it in the session. Then, when the user is logged in, present a dropdown with the available roles for that user, and a switch button. This allows the user to select a different role, and switch roles, without having to logout and login again. All the switch function does is update the selected role in the session, and reloads the page (as the new role could mean no more access to the current page!).

[eluser]Ajaxian64[/eluser]
And I would also know (without engaging useless dialog)
I read a lot of threads regarding CI session and I would really know is there a clear statement concerning CI session behavior with IE browsers (7,8...) ?
I heard that there is lost of session with this browser

Many thanks, all, for your previous reply.

[eluser]WanWizard[/eluser]
@ajaxian64:

as clear as possible: I've never lost a session, not with any browser.

You just need to configure it properly:
- no underscore in the cookie name
- cookie hostname and path must be correct
- hostname needs to be valid (needs one, in some case two dots in the name, so localhost is invalid!)
- make sure the time on the server is correct ( ntp )
- when using timeouts, cater for users in different timezones
- when using timeouts, cater for users with an incorrectly set PC clock
- when using ajax, avoid a sess_update() call for ajax requests ( search the forum for a solution )

When using a client-side solution that can't sent cookies (p.e. swf's), have it send the session_id as a post variable. Then extend the session library, so that it checks for this variable via $this->input->post() when the cookie can not be found, and use that to load the session instead.

[eluser]Ajaxian64[/eluser]
Thanks WanWizard
Just a precision: Why you said that localhost is invalid ? I would say that 127.0.0.1 is invalid not localhost ?
And thanks for the list of tasks to achieve good configuration. It misses clearly on threads I read.