问题
I am running my website (exactly same source code, even user login detail) on two different computers, each have their own apache. Users can access both websites via my port fwd setting.
For example, 10.10.10.10:81 to access website on computer A and 10.10.10.10:82 to access website on computer B.
User have no problem to access either one of them. Until user wanna access both of them at the same time using the same internet browser.
Login to website on computer B will log him/her out from website on computer A.
Why this happen? Because same IP Address will auto generate the same Session ID? Different ports won't have different Session ID? How to avoid this? Manually generate Session ID will do? Any other solution for this issue?
Thank you.
回答1:
Cookies are not specific to a port.
It means if a server that runs on 10.10.10.10:81 sets a cookie sessionId=123455 the same cookie will be sent to a server that runs on 10.10.10.10:80 . It leads to the scenario you described
- A user goes to server 10.10.10.10:81
- 10.10.10.10:81 server establishes a session for that user and sets the cookie.
- The user logs in into the server and now can use the session to browse around.
- User then goes to 10.10.10.10:80 and the browser sends the session cookie set by 10.10.10.10:81
- Because 10.10.10.10:80 knows nothing about the session on 10.10.10.10:81 it establishes a new session and sets the new session cookie overwriting the old one
- The new session cookie is only valid on 10.10.10.10:80 and thus the user is logged out on 10.10.10.10:81
Solutions
- (Prefered) Configure different names for session cookies OR
- Configure the server to pass the port parameter when setting the session cookie header. This will make the cookie specific to domain+port combination. Avoid this solution if possible because not all the browsers deal with this parameter correctly.
回答2:
You've not given a lot of information, but if sessions are being maintained using cookies, and the same domain name is being used to obtain access to both sites, then the cookies will apply to requests to both sites.
When the user switches from site A to site B (using the same browser instance), the session cookie will be sent, but won't match an existing session ID - so a new session ID will be generated by site B and set as "the" session cookie.
Two general approaches to solving this - either use two different domain names for the two sites, or distinguish the session cookies in some other manner. You might be able to do this by configuring a different name to use for the session cookies in site A and site B. The specifics of doing this depend on the technology being used to create sites A and B - which you haven't told us about.
回答3:
This is the example to solve it:
127.0.0.1:110
session_start();
$_SESSION['ss'] = 'll';
echo '<pre>';
var_dump( $_SESSION);
ouput:
array(1) {
["ss"]=>
string(2) "ll"
}
127.0.0.1:111
session_start();
echo '<pre>';
var_dump( $_SESSION);
ouput:
array(1) {
["ss"]=>
string(2) "ll"
}
After change session 's path
127.0.0.1:110
session_save_path('/tmp/sess');//This line must be wrote before session_start(),
session_start();
$_SESSION['ss'] = 'll';
echo '<pre>';
var_dump( $_SESSION);
ouput:
array(1) {
["ss"]=>
string(2) "ll"
}
127.0.0.1:111
session_start();
echo '<pre>';
var_dump( $_SESSION);
ouput:
array(0) {
}
127.0.0.1:111
session_save_path('/tmp/sess');
session_start();
$_SESSION['ss'] = 'll';
echo '<pre>';
var_dump( $_SESSION);
ouput:
array(1) {
["ss"]=>
string(2) "ll"
}
来源:https://stackoverflow.com/questions/13412864/same-session-id-on-same-ip-address-but-different-ports