I have CentOS LAMP with multiple sites. I use PHP session variable for the log into the wesites. My problem is if you log into one site you can open another site on the same server and you will be logged in. The sites are completely separate so I want them to have to log into each separately. Each site has a different user DB.

Here are the session variables I am populating upon login.

$_SESSION["username"] = "$username";
$_SESSION["user_id"] = "$user_id";
$_SESSION["act_type"] = "$act_type";

I have created a a little sample so you can recreate the problem

There is 2 separate sites:
/var/www/html/site1
/var/www/html/site2

Each site has 2 pages index.php, secure.php
If I log into one I can open secure.php on the other site to.

/var/www/html/site1/index.php

<?php

session_start();

$user = 'jane';
$pass  = '654321';

if ( $user == $_POST[user] AND $pass == $_POST[pass] ) {

    $_SESSION[user] = $user;
    header("location: secure.php");
}
else {
    echo "Bad Login";
}

?>

<form name="form1" method="post" action="index.php">

    Username: <input name="user" type="text">
    <br />
    Password: <input name="pass" type="password">
    <br /><br />
    <input type="submit" name="Submit" value="Login">
</form>

/var/www/html/site1/secure.php

<?php

session_start();

if ( !isset($_SESSION[user]) ) {

    header("location: index.php");
}

?>
Secure Page

/var/www/html/site2/index.php

<?php

session_start();

$user = 'joe';
$pass  = '123456';

if ( $user == $_POST[user] AND $pass == $_POST[pass] ) {

    $_SESSION[user] = $user;
    header("location: secure.php");
}
else {
    echo "Bad Login";
}

?>

<form name="form1" method="post" action="index.php">

    Username: <input name="user" type="text">
    <br />
    Password: <input name="pass" type="password">
    <br /><br />
    <input type="submit" name="Submit" value="Login">
</form>

/var/www/html/site2/secure.php

<?php

session_start();

if ( !isset($_SESSION[user]) ) {

    header("location: index.php");
}

?>
Secure Page