How to keep two sessions at a time for a single page?

Question

Hi,

I've a online service tool where users registers themselves and use it.

I've admin control panel for this service. Sometimes when users tell us some weird things about data and usuability , we need to check them as if they were logging in ...

so i decided to have a page in admin panel as 'log in as xx user' where xx is an user of our service..

I done it by simply setting sessions variables for that particular user account and bypassing the login option.. When i finished testing, i logout and again login as admin to do other activities..

But now i need not logout and then login as admin after everytime i logged in as different user..

Can i set two simultaneous session at a time for a single page/service???

(i.e) in one tab of the browser i act as an admin and in other tab i'll act as a user?

Any ideas..

I remember 've seen phpbb using them...

Answer 1

Session is kinda globally available array, you can separate frontend and backend sessions like this:

<?php

    $_SESSION['frontend']['logged_id'] = true;
    $_SESSION['backend']['logged_id'] = false;

?>

Your script would help me to give you more detailed sample code.

Update

1. Add prefixes to your set sessions. Like this: $_SESSION['my_CID'] = $cid;
2. You have to dig into the backend/admin code and find where logout action happens.
3. That action may be killing the whole session like this: session_destroy() or unset($_SESSION);.
4. Use the code below not to kill prefixed sessions.

Here's the code:

<?php
    foreach ($_SESSION as $key => $value)
    {
        if (substr($key, 0, 3) == 'my_')
        {
            continue;
        }
        unset($_SESSION[$key]);
    }
?>

Answer 2

What you are seeking with that line of reasoning is a kludge, basically.

What you want is a robust solution and for that I suggest a scheme like this: maintain session variables for:

• real_user_name
• real_login_time
• virtual_user_name
• virtual_login_time

So when the admin wants to log in as someone you set the last two. Your security should generally check the last two. Access to the admin pages should be based on the first two.

Answer 3

I don't know if this is a usable solution to your problem, but if you use firefox, you can start the browser two times with two different profiles. You won't have the applications in the same tab, but at least you have the same browser with different sessions. If you copy the old profile, you should also be able to have the same history and plugins.

You would have to use "-P -no-remote" as additional parameters to the firefox executable if you decide to do so.

Answer 4

I think there could be two solutions:

• First if you have Admin and the Service as two different applications they will manage each one its session. If your service is not designed this way or if the change wil have a great cost its not a so good option.

• Second and prefered , you can set in the session object two objects, one for the admin and another for the service.

Answer 5

You can't have two separated sessions but you can just add some extra variable to the user session that tells that you are logged as admin.

Answer 6

A few ideas:

• use two different browsers
• connect from two different (virtual) machines
• use something like CookiePie to allow for different cookies per tab
• connect one instance through a proxy
• if you can, host the same web app throught two different domains, and use one for each session
• use the hosts file to provide an extra domain name
• if the session is propagated through the URL instead of cookies, then this will work naturally, but it has all sorts of nasty usability and security consequences