Need to kill a session?
Really quick here... I think I have the answer, but just looking for some validation.
I have a site with two "points of entry." One is for a standard user and one is for an admin account. In the real world, an admin could have 开发者_运维百科a standard user account and try to login as an admin while already being under the standard user session.
I have two separate front ends to facilitate login. The normal user one is frilly and has ads and the like, the admin one is strictly business, so any suggestion to have the two user types login through the same "door" is not on the table.
Would you advise on the admin login page to destroy any active sessions? Once the admin is in, they'll only be tooling around in their admin area and not on the main site.
Has anyone run into probs using this method and having an admin-type user try to log back in in a new window as a "user" to view changes from a logged in user's prespective?
Thanks in advance. So many cans of worms :)
Cans of worms yes. Having your admin sessions kill-off user sessions, also yes.
Personally, given what you described I'd keep both sets of sessions isolated from the other. Should allow you to include things in the sessions that helps reinforce the idea of users can't reach admin pages.
That said, you should not NEED to kill off the session. It should be possible to upgrade the existing session. I'd keep them separate because it would help me keep the two areas clear in my mind (which would help me avoid security errors).
精彩评论