[eluser]Mr Lazy[/eluser]
Hi,
The problem:
I have an application with a log in, and during testing I noticed that when I had two (Firefox) browser windows open, each with different users logged in, the session seemed to be shared.
So even though this is not likely to happen, it could be possible for an admin user to log in, and then an ordinary user to share the PC and magically be given admin access.
I am using the CI session functionality, and I have tried reseting the session id after login (a hash of the user's encrypted password and the original session id), but this does not make any difference. Are the two browsers (users) sharing the same session cookie, and if they are, is is possible to give each logged in user their own session?
I hope someone can help,
Many Thanks,
Stephen