You should be aware that it is possible for a user to create multiple browser instances on his client device. For example, using 'Ctrl+N' within Internet Explorer will produce a new browser instance which is an exact copy or 'clone', including history, of the current instance. These clones will all share the same session cookie, the same session name, the same session id and therefore the same session data on the server. This can have confusing results if the same script is accessed in different browser instances at the same time as only one set of session data for that script will be maintained on the server, therefore only the latest activity will be recorded regardless of the browser instance in which the activity took place.
The only way to avoid this behaviour is to have a mechanism which will assign a separate session id to a particular browser instance, thereby allowing the server to maintain separate session data for each instance. This mechanism must do more than simply use the session_regenerate_id() function to create a new session id as this will simply overwrite the exsiting session id in the session cookie, therefore all browser instances which access this cookie will simply switch from sharing the 'old' session id to sharing the 'new' one.
In Appendix G I stated that the session cookie contains data in the format <session_name>=<session_id>
, which means that the only way to have multiple session id's in the same cookie data is to give each one a separate name, as in:
<session_name1>=<session_id1> <session_name2>=<session_id2> <session_name3>=<session_id3>
Within my menu system I am able to generate new session names, and hence separate session id's with their own session data, with the following steps:
PHPSESSID
to MENU
. This can be done in either of the following ways:
session.name
configuration option before using the session_start() function.php_value session.name xxxx
.The user now has the option to let multiple browser instances share the same session data, or to force an instance to maintain separate session data simply by selecting the 'new session' link in the menu bar.
This functionality is explained in more detail in Client Clones and Server Sessions.