Sessions and browser's tabs



May you have noticed when you open your website in two or more tabs in Firefox, Opera, IE 7.0 or use 'Control+N' in IE 6.0 to open a new window, it is using the same cookie or is passing the same session id, so the another tab is just a copy of the previous tab. What you do in one will affect the another and vice-versa. Even if you open Firefox again, it will use the same cookie of the previous session. But that is not what you need mostly of time, specially when you want to copy information from one place to another in your web application. This occurs because the default session name is "PHPSESSID" and all tabs will use it. There is a workaround and it rely only on changing the session's name.



Put these lines in the top of your main script (the script that call the subscripts) or on top of each script you have:



<?php

if( version_compare ( phpversion (), '4.3.0' )>= 0 ) {

if(! ereg ( '^SESS[0-9]+$' , $_REQUEST [ 'SESSION_NAME' ])) {

$_REQUEST [ 'SESSION_NAME' ]= 'SESS' . uniqid ( '' );

}

output_add_rewrite_var ( 'SESSION_NAME' , $_REQUEST [ 'SESSION_NAME' ]);

session_name ( $_REQUEST [ 'SESSION_NAME' ]);

}

?>



How it works:



First we compare if the PHP version is at least 4.3.0 (the function output_add_rewrite_var() is not available before this release).



After we check if the SESSION_NAME element in $_REQUEST array is a valid string in the format "SESSIONxxxxx", where xxxxx is an unique id, generated by the script. If SESSION_NAME is not valid (ie. not set yet), we set a value to it.



uniqid('') will generate an unique id for a new session name. It don't need to be too strong like uniqid(rand(),TRUE), because all security rely in the session id, not in the session name. We only need here a different id for each session we open. Even getmypid() is enough to be used for this, but I don't know if this may post a treat to the web server. I don't think so.



output_add_rewrite_var() will add automatically a pair of 'SESSION_NAME=SESSxxxxx' to each link and web form in your website. But to work properly, you will need to add it manually to any header('location') and Javascript code you have, like this:



<?php

header ( 'location: script.php?' . session_name (). '=' . session_id ()

. '&SESSION_NAME=' . session_name ());

?>

<input type="image" src="button.gif" onClick="javascript:open_popup('script.php? <?php

echo session_name (); ?> = <?php echo session_id (); ?> &SESSION_NAME= <?php echo session_name (); ?> ')" />



The last function, session_name() will define the name of the actual session that the script will use.



So, every link, form, header() and Javascript code will forward the SESSION_NAME value to the next script and it will know which is the session it must use. If none is given, it will generate a new one (and so, create a new session to a new tab).



May you are asking why not use a cookie to pass the SESSION_NAME along with the session id instead. Well, the problem with cookie is that all tabs will share the same cookie to do it, and the sessions will mix anyway. Cookies will work partially if you set them in different paths and each cookie will be available in their own directories. But this will not make sessions in each tab completly separated from each other. Passing the session name through URL via GET and POST is the best way, I think.