Is it possible to generate different session cookies?

[eluser]Mr Lazy[/eluser]
Hi,

The problem:
I have an application with a log in, and during testing I noticed that when I had two (Firefox) browser windows open, each with different users logged in, the session seemed to be shared.
So even though this is not likely to happen, it could be possible for an admin user to log in, and then an ordinary user to share the PC and magically be given admin access.

I am using the CI session functionality, and I have tried reseting the session id after login (a hash of the user's encrypted password and the original session id), but this does not make any difference. Are the two browsers (users) sharing the same session cookie, and if they are, is is possible to give each logged in user their own session?

I hope someone can help,

Many Thanks,
Stephen

[eluser]Phil Sturgeon[/eluser]
Firstly, good name and avatar!

Is that not standard session behaviour though? A session logs a PC into the site as that is the only way a session is recognised, a cookie on the PC.

If you are worried about an admin using a computer then someone going on after and being logged in, you should simply set the session expire time a little lower (from 0 to the number of seconds it should last). That is found in the main config.php file.

[eluser]Mr Lazy[/eluser]
Yes, I guess it is standard PC session behavior, but I thought that maybe a session could log maybe a browser instance, or possibly even a browser tab instance. If it is done on a PC basis, I agree the only way forward is to reduce the session expire time.

Thanks for your input.