Logged in twice at the same time?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Without going into the details of my code: is it possible to have two
different users logged in at the same time?

I had one page where I found the username correctly set, and another
where it wasn't. (Just by checking <?= $_SERVER['PHP_AUTH_USER'] >? at
the top of each page.)

Wondering why it would be set for one page and not another (and as a
sanity check) I wrote another page which sends the basic auth headers
and so logged in again.

Now the first page shows my original username. All the other pages
(which used to show username at all) now show the second username. I can
freely switch between them too: it's very consistent. One page, user1.
All the rest: user2.

I'm really confused. I didn't think it was possible to be logged in as
two different users in the same browser against the same host at the
same time.

server: w2k, php 4.3.10, apache 1.3.24
client: both IE and FF.


Re: Logged in twice at the same time?

Are you using two IE or two FF browser windows on the same PC to test
this, or one IE and one FF?
I've never seen that work well, because the browser session can be
shared between both instances of the browser.

Does it do the same if you're in one IE and one FF window?  Or even
browsers on sepparate PC's?

Re: Logged in twice at the same time?

Quoted text here. Click to load it

It was one IE and one FF. Here's the behavior I saw:

IE, Page 1, PHP_AUTH_USER=apple
IE, Page 2, PHP_AUTH_USER=banana

FF, Page 1, PHP_AUTH_USER=apple
FF, Page 2, PHP_AUTH_USER=banana

IE on a completely different computer, Page 1, USER=apple
IE on a completely different computer, Page 2, USER=banana

At that point I ruled out the browser. Something was amiss server-side.

And I more or less figured it out, after about a hundred different
trial-and-error attempts and re-arranging call order. I won't say I
definitively figured it out, because this is still somewhat of a

It seemed like every time "banana" showed up as the user, the http basic
auth header() calls were not being made. And if I could force the
header() call, then 'apple' would be logged in on every page. And once I
did that, I no longer had to send headers again: apple would stick.

The algorithm went like this:

if ("private" page) {
  send_headers(); // force the http auth dialog
} elseif ("public" page) {
  if (already been here) {
    send_headers(); // does not pop up dialog, but does populate
  } else {
    // do nothing

Anyway, all seems to be working at this point, so I'm going to run with


Re: Logged in twice at the same time?

Quoted text here. Click to load it

It depends on what kind of login you are talking about.

Quoted text here. Click to load it

If you are dealing with a .htaccess basic login, and the authentication
realm (AuthName) is different, a browser can have lots of different
logins active (or not) on the same server.  The browser uses the
authentication realm to determine which one to send.

Quoted text here. Click to load it

Are the pages in different directories?  While .htaccess can apply
different authentication to different pages, it's harder to do that
by accident in the same directory.

Quoted text here. Click to load it

It's easy to have lots of different applications, each with their
own directory and different AuthName, and potentially different
password files, on the same server.

                        Gordon L. Burditt

Site Timeline