Fix Google SSO, PHP Session Management & Multi-Company Access Control in Core PHP App need Web Development

Contact person: Fix Google SSO, PHP Session Management & Multi-Company Access Control in Core PHP App

Phone:Show

Email:Show

Location: Milano, Italy

Budget: Recommended by industry experts

Time to start: As soon as possible

Project description:
"We already have a diagnostic report outlining the root causes (OAuth callback flow, PHP session handling, login fallback, and company-level access checks).
We’re looking for a developer to implement the fixes based on this diagnosis—no discovery phase needed.

Tech Stack / Environment
- Core PHP (no framework)
- Google OAuth 2.0 (SSO)
- Hostinger hosting, Google Cloud (already set up)
- MySQL

Scope (based on the diagnosis)
1) Google SSO Flow
- Enforce prompt=select_account.
- Fix callback so code → token → user info is reliable and consistent.
2) Email/Password Login
- Use password_verify() with proper error handling; fix the “always same user” fallback.
3) Session Management
- Centralize and secure session init/regeneration/destruction.
- Ensure logout clears both PHP session and Google token.
4) Company-Level Data Isolation
- Enforce company_id checks at every access point (no cross-company access via URL params).
5) Security & Logging
- Add minimal debug/error logging for login attempts and session lifecycle (production-safe).

Constraints / Notes
- No framework migration (keep core PHP).
- Backward compatible with current routes & UX where possible.
- Follow secure session practices (httponly, secure where applicable, CSRF where relevant).

Deliverables
- Updated code implementing all the above.
- Brief technical note/README (files touched, changes made, env vars/config needed).
- Test checklist showing each acceptance criterion passed.
- Optional: short rollback note (how to revert).

Acceptance Criteria
- Google SSO completes and lands the user with a valid, persisted session.
- Email/password login authenticates the correct user (no fallback).
- Logout reliably destroys session and revokes Google token.
- Users can only access data for their own company_id (attempted cross-access is blocked).
- Basic logs confirm login attempts, session init/regeneration/destruction." (client-provided description)

Matched companies (4)

Conchakra Technologies Pvt Ltd

At Conchakra, our mission is to empower organizations through innovative software solutions that leverage the transformative potential of artificial … Read more

https://www.conchakra.com info@conchakra.com +91 9513550808

Chirag Solutions

Chirag Solutions is extending its services in website designing & development and software development. Our web and software development is committed… Read more

https://www.chiragsolutions.com/ prabhakar@chiragsolutions.com +918051117541

TG Coders

We create custom apps for businesses and startups TG Coders is a technology partner specializing in creating custom mobile and web applications for … Read more

https://tgcoders.com/ contact@tgcoders.pl +48 514 583 389

SYNERGIC SOFTEK SOLUTIONS PVT LTD

Synergic Softek Solutions, based in Kolkata, India, specializes in banking technology, digital innovation, and custom software development. The compa… Read more

https://synergicsoftek.in/ suvrajit@synergicsoftek.com 7596067176

Respond to this project as a professional or publish your own project.