Basics of create PHP sessions after login

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
simonmlewis
DevNet Master
Posts: 4435
Joined: Wed Oct 08, 2008 3:39 pm
Location: United Kingdom
Contact:

Basics of create PHP sessions after login

Post by simonmlewis »

Hello

I have a CMS with user logins, but have yet to find out how to add Sessions.

So when someone passes through the pages, it knows who they are, without constantly create SELECT * from SQL.

It maybe with Cookies, but again, I've no idea about Cookies.

Hope someone can offer some guidance.

Simon
Love PHP. Love CSS. Love learning new tricks too.
All the best from the United Kingdom.
User avatar
papa
Forum Regular
Posts: 958
Joined: Wed Aug 27, 2008 3:36 am
Location: Sweden/Sthlm

Re: Basics of create PHP sessions after login

Post by papa »

Maybe reading about cookies and sessions might help? :)

session_start() is one function that you need to use.
eggnogg
Forum Newbie
Posts: 11
Joined: Wed Feb 15, 2006 7:31 pm

Re: Basics of create PHP sessions after login

Post by eggnogg »

check SESSION + php manual on google -> all info is there 8)
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Basics of create PHP sessions after login

Post by kaisellgren »

After a successful login, you create a cookie, which can be either created by PHP's build-in cookie() -function or you add it with header(), which is a lot more challenging task.

Once the user requests a protected page, the cookie data is checked against the database. If the information matched the db records, let him see the page, if not, then output the login form (or redirect to it).
MichaelR
Forum Contributor
Posts: 148
Joined: Sat Jan 03, 2009 3:27 pm

Re: Basics of create PHP sessions after login

Post by MichaelR »

I find session_start() works well. Define $_SESSION["id"] as the user's ID (after selecting it from the database), and have session_start() at the top of every restricted page. If $_SESSION["id"] is not set, redirect them to whatever page you wish, else if it is set, allow them to stay on the restricted page. Like this:

Code: Select all

 
session_start();
 
if (!isset($_SESSION["id"]))
 header("Location: index.php");
 
else {
 
...
 
kipp
Forum Commoner
Posts: 27
Joined: Fri Jan 09, 2009 1:25 pm

Re: Basics of create PHP sessions after login

Post by kipp »

Is Michaels redirect option a safe bet? Honestly that is what I normally use, but it seems so simple I am concerned that it is basically leaving a back door wide open.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Basics of create PHP sessions after login

Post by kaisellgren »

kipp wrote:Is Michaels redirect option a safe bet?
You still need protection against session attacks and CSRF.
kipp
Forum Commoner
Posts: 27
Joined: Fri Jan 09, 2009 1:25 pm

Re: Basics of create PHP sessions after login

Post by kipp »

any good readings on how to protect against those?
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Basics of create PHP sessions after login

Post by kaisellgren »

kipp wrote:any good readings on how to protect against those?
http://forums.devnetwork.net/search.php?keywords=session&terms=all&author=&fid[]=34&sc=1&sf=titleonly&sr=topics&sk=t&sd=d&st=0&ch=300&t=0&submit=Search
Post Reply