#1
  1. No Profile Picture
    Contributing User
    Devshed Regular (2000 - 2499 posts)

    Join Date
    Sep 2006
    Posts
    2,122
    Rep Power
    539

    Sessions for front and backend site


    Let's say I have two sites: index.php for the frontend and index.php/admin for the backend. index.php/admin is actually rewritten to index.php?admin=admin using Apache and will access the same index.php file as the frontend so that the admin name could be changed (long story, so please just go with this).

    My question is whether I should create two sessions with two different session cookies using session_name(), or create one session which is an array('front','back'), and include the applicable date for each within the two elements. Please explain why one approach is better than the other.

    Thanks
  2. #2
  3. Backwards Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    16,921
    Rep Power
    9646
    Sharing a session means you'll have to keep the two separate the whole time, and if you slip up you might adversely affect the wrong one.

    I'd go for a different session.
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Regular (2000 - 2499 posts)

    Join Date
    Sep 2006
    Posts
    2,122
    Rep Power
    539
    Originally Posted by requinix
    Sharing a session means you'll have to keep the two separate the whole time, and if you slip up you might adversely affect the wrong one.

    I'd go for a different session.
    So, just make sure I select the correct session at the start of the script... Well, that should be doable, thank you.
  6. #4
  7. Backwards Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    16,921
    Rep Power
    9646
    Yup. Normally you would adjust the session cookie parameters so there's only ever one session at a time, but while you can set a cookie for /index.php/admin that won't affect /, you can't set a cookie for / that excludes /index.php/admin.
    A different domain/subdomain, or even a different port, is the more fun option.
  8. #5
  9. No Profile Picture
    Contributing User
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Dec 2004
    Posts
    3,082
    Rep Power
    381
    shouldn't it depend on why you need two sessions or you think you need two sessions? if this is for access reasons then couldn't you just have a session user_type or user_role etc which is admin or member and then give access to backend appropriately?
  10. #6
  11. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2012
    Location
    Adelaide - Australia
    Posts
    167
    Rep Power
    12
    Would it not be better if you started your session at the top of the front-end index.php and added a case/mode/action to it like so.

    PHP Code:
        case 'admin':
        
    $page_title ''.$lang['page_title_admin'].'';
        include (
    'acp/admin/index.php'); 
         break; 
  12. #7
  13. No Profile Picture
    Contributing User
    Devshed Regular (2000 - 2499 posts)

    Join Date
    Sep 2006
    Posts
    2,122
    Rep Power
    539
    Originally Posted by requinix
    A different domain/subdomain, or even a different port, is the more fun option.
    Different port? What does this mean?

    As far as a different subdomain, I agree this is a better option. The problem is the subdomains would need to be something like requinixsbackend.requinix.example.com or notionsadminsection.notion.example.com. As far as I know, CA certificates like *.*.example.com are not available, agree?


    Originally Posted by paulh1983
    shouldn't it depend on why you need two sessions or you think you need two sessions? if this is for access reasons then couldn't you just have a session user_type or user_role etc which is admin or member and then give access to backend appropriately?
    Frontend and backend users are very different in my case, and potentially, a person would wish to be logged in as both (two browser instances).


    Originally Posted by slopalong
    Would it not be better if you started your session at the top of the front-end index.php and added a case/mode/action to it like so.
    I don't understand your intent. Please elaborate.
  14. #8
  15. Backwards Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    16,921
    Rep Power
    9646
    Originally Posted by NotionCommotion
    Different port? What does this mean?
    Like requinix.example.com for the main site and requinix.example.com:8080 for the admin site. Not the most user-friendly thing, but for an admin thing you don't have to be.

    Originally Posted by NotionCommotion
    As far as a different subdomain, I agree this is a better option. The problem is the subdomains would need to be something like requinixsbackend.requinix.example.com or notionsadminsection.notion.example.com. As far as I know, CA certificates like *.*.example.com are not available, agree?
    I'd expect simply admin.requinix.example.com. But yeah, a wildcard SSL cert won't cover sub-subdomains so you're stuck there.
  16. #9
  17. No Profile Picture
    Contributing User
    Devshed Regular (2000 - 2499 posts)

    Join Date
    Sep 2006
    Posts
    2,122
    Rep Power
    539
    Originally Posted by requinix
    I'd expect simply admin.requinix.example.com. But yeah, a wildcard SSL cert won't cover sub-subdomains so you're stuck there.
    I wanted to give the owner of the site the ability to change the admin name (i.e. from admin.requinix.example.com to blablabla.requinix.example.com).

    It seems like I have several options:
    1. Not use HTTPS (I don't want to do so).
    2. Not allow the sites owner the ability to change the admin name, and make it "admin" for all sites. There will be multiple admin users and some might not use strong passwords, and I wanted to give each site's super-admin the ability to do so to make it not so obvious to find the admin page.
    3. Not use a subdomain as the admin site, but use something like requinix.example.com/blablabla. I understand that this approach creates other risks.
    4. Something else?


    Do you have any recommendations on the best approach?

    Thank you
  18. #10
  19. Backwards Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    16,921
    Rep Power
    9646
    If I were doing it then I'd just go with the /admin path. You're already using subdomains so throwing more of them on starts looking odd. I'd probably not even bother with the separate session, but it's not like it's that much extra work to do.

    Comments on this post

    • NotionCommotion agrees : Thanks!
  20. #11
  21. No Profile Picture
    Contributing User
    Devshed Regular (2000 - 2499 posts)

    Join Date
    Sep 2006
    Posts
    2,122
    Rep Power
    539
    Thanks requinix,

    Was going round and round on this issue, and making no progress. Decision made!

    In regards to separate sessions, I feel it might even be less work to use them since it is done once and downstream code doesn't need to attempt to mimic the logic.

    Thanks again!

    P.S. Go Hawks!
  22. #12
  23. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2012
    Location
    Adelaide - Australia
    Posts
    167
    Rep Power
    12
    I don't understand your intent. Please elaborate.
    I couldn't understand the need to have a front-end and back-end at two different locations when they could both be under the same root/dir/ though in different sub folders and just switch between the two with something like the "case" script I posted in the main index.php to call the Admin index.php?

    And if the session starts in the main index - it just carries over into the admin index.

    Not qualified enough to elaborate too much on sessions - But I also believe one can add session[name] etc to the second instance to include whatever one wants to add to the original session.

IMN logo majestic logo threadwatch logo seochat tools logo