What is the proper way to utilise sessions for authentication in php?

Question

Currently what I do is store the user's username after a sucessful login into a session variable.

$_SESSION['session_loggedin'] = $post_username;

post_username is the POST from the submit form.

Then i use this session variable to check if it is set, to see if a user is logged in. I use the value of this variable to show user-specific content.

                <?php
                if (isset($_SESSION['session_loggedin'])) {
                    ?>
                        <a href="logout.php">LOGOUT</a>
                     <?php
                }
            ?>

Is this how sessions are meant to be used? Is this a right way to securely show content? How do I prevent hijacking?

Thanks

Answer 1

You're almost there! But you are supposed to store the user's id on session. You query the database where username is equal to post username and password is equal to post password, the count the number of rows return! From there you store the user's id on session.

Answer 2

To see how PHP sessions are used please go to:http://www.w3schools.com/php/php_sessions.asp . No since i could go onto your other pages (assuming you have some) and insert a username i.e. if John Smith Logged in with a Password:password thats fine but i could go onto you website and put John Smith as $_SESSION['session_loggedin'] and be away with his account. You may ask but how will he know about $_SESSION['session_loggedin'] if he is smart he would create a user and capture the sessions and see what he needs to input to gain control of another account. Instead of a username i would recommend a hashcode!

See this for hijacking:What is the best way to prevent session hijacking?