Very strange session bug!

[Macintrash]

Now i dont know if this is common, but occasionally while playing, i will click on a profile of a new account and it will log me out. It doesnt unset my session though, because i can go right back into the game by entering in a new URL. What makes it even more confusing is i can have 2 accounts right next to each other, and i open them both in new tabs. ONE can work, and the other will send me straight to the login page. I know its not a hacker because its been happening for a year and it only happens with new accounts and while using items. I looked at the "if session=0 header:login.php" code on a page that works fine compared to a page that causes a logout, and they are identical. What is causing my account to logout when i go to specific pages? I know for a fact my session is still intact, plus it even let me login to a new account while the other is still logged in. Where can i view my cookies/sessions to see whats really going on and how can i fix this?

[Macintrash]

Ok exactly 20 seconds ago i have narrowed it down! I have found out that it allows me to have one account logged in at http://www.mygame.com, and a different account at mygame.com at the same time

[Haunted Dawg]

You may pm me your game url and tell me what page's to look at, then i can find out what your problem is to be exact.

[Dayo]

i wuld advise transfering from sessions to cookies as this would stop the above errors and stop peiople opening your game in 5 browsers all on diffrent accounts and farming

[Fathom]

It is very likely that nothing is technically wrong. This is how sessions should work: they only work on the (sub)domain they are set in. This means that the browser/user does not have any session information when you go to domain.com (even if they logged in at http://www.domain.com/login because that session is set for the www subdomain). Hence the browser has two seperate sessions and you can login to two accounts using domain.com and http://www.domain.com

Quick note, I don't use php so have to excuse any mistake I make. I would imagine that if you create the session from domain.com (i.e point login form to http://domain.com/login) it may solve your problems. Alternatively you can set the domain of the session to domain.com, there must be some way to do this in php...

However this is not an ideal solution. In http(/the web) the pages http://www.domain.com/page and domain.com/page are considered to be different - even if they are infact identical. Therefore if people are using both www and the higher level domain.com they will cache two copies of each page/image. You will notice with most large websites that all requests to domain.com/page are forwarded (301) automatically to http://www.domain.com/page (even if it leads to a 404). This forwarding will usually only need to be done once for each user so is at little cost - and you make a saving if you enable caching/if modified. Of course if you have links on your site pointing to domain.com/page then forwarding willl occur frequently, which is unwanted. You will want to do this with your server not php, google will be your friend here. There are other benefits such as a gain for SEO (as you are removing duplicate content and all outside links will go (perhaps via a forward but search engines are smart) to one page).

I can't comment on Dayo's suggestion as I don't know how it works in php but my solution could be carried out as well for reasons I explained. I'm not sure how a cookie would stop multiple accounts? A flash cookie maybe for detection. Also you can not fully trust the key/values stored in cookies, which might have implications given your code.

[Swift-Fusion || Fusion]

May i suggest using a .htaccess edit, to make people go from domain.tld to http://www.domain.tld :)

This can easily be found on google.