会话，多个选项卡和多租户数据库

Question

I'm working on a multi-tenanted app in CodeIgniter. Sessions are handled securely through the database. Both the user_id and company_id are stored in a server session, and most tables have company_id (which relates to the id field in the companies table) and user_id fields. When an item is saved or updated into the database, the company_id from the session is automatically appended to the query, and populated into the database.

Lets say that UserA has access to both CompanyA (company_id 1) and CompanyB (company_id 2). He opens up CompanyA in his browser, and opens up a form to save a new product for this company. Just before he hits save, he opens up a second tab in the browser, and switches to CompanyB. This means that the session for company_id will have changed on the server. Now, he goes back to the first tab, and hits save - he thinks that he is saving a product for CompanyA, but actually the server session has changed, and it saves into CompanyB.

I think that this theory-crafting is correct. If it is, what is the best way to get around it? The only method that I can think of is to use a hidden company_id field in every single form.

Answer 1

You have three choices : Set the company id on a hidden field, Set a token for the form that refers to the session or pass the company id on the url.

I believe the right approch but not the easiest is to pass a token so you can extend it to all of your form that needs it, in Zend you have a Zend_Form_Element_Hash , i don't know about CodeIgnitier but you probably have something similar.