Saturday, August 25, 2007

Managing Multiple Simultaneous Sessions With PHP

The Issue:

Managing multiple simultaneous sessions with PHP is not a fun thing.

How does one go about creating a session that is unique to the browser window or tab? The goal is to freeze the session state.

Generally when a user signs in into a Control Panel type of environment -> screen elements are displayed -> the user clicks on the element and performs the action. If the user were to open multiple new windows or tabs, all of the assigned session variables _will be_ overwritten. What this results in, is a huge mess of what was opened previously and newly opened content.

One way to work around this problem is to disable the right-click. Prevent the user from opening new windows, prevent the user from clicking any of the mouse buttons other than the left click. This workaround requires the user to sign in into the Control Panel with the Internet Explorer browser. Any other browser would fly through the filters. Javascript must be enabled etc etc. Detecting the browser_type is the next issue. It is possible to spoof the HTTP User Agent and have the client report, spoof and copy any other client/app. The disadvantages on such an approach quickly add to the mix. A lot of the online banking portals seem to follow this approach.

The next solution involves renaming and creating new PHP sessions. I haven't found this to work too well. There were too many hoops involved.

The Solution:

The solution is to create a multi-dimensional array. Dynamically feed and call the multi-dimensional array based on the parent called.

Lets say you have five variables (parent vars) and need to register five sessions. Create a unique hash for each of the five variables, create a multi-dimensional array and call the hash in every GET and POST request. Its that simple!

// session_start();

// Select vars from db

$foo = generate_hash();

// Loop them {
$_SESSION[$foo]['type'] = $foo;
}

To call these sessions, the subsequent pages would need to call a GET request of the form, $type = hash_value