Handle $_SESSION through pages in a php site

Question

I googled to solve my question but any site explains my problem in a different way so I feel very confused!

I realized a php site in this way.

index.php:

In this page I get username and passw from login form and after checked if the user really exist I'll save them first in a variable and after in session.

$_SESSION['user']=$user;
$_SESSION['psw']=$psw;

Now I would show this page ONLY if the user is logged, so I would make some like this:

first_page.php:

   <?

   if(isset($_SESSION['user']) && isset($_SESSION['user'])!="" && isset($_SESSION['psw']) && isset($_SESSION['psw'])!=""{

// show page site
}
else
  // go to index.php

?>

and insert this block if-else in any pages of the site.

It is correct this procedure?
I need to introduce session_start(); in any page or just in index.php?
How long time $_SESSION['user'] and $_SESSION['psw'] (expires)?

Since the site needs $_SESSION['user'] for many features, I need to be sure that when a user navigate the site those session variables are setted.

Thanks for your support, I feel very confused on it.

`$_Session` is an outright syntax error. It's a superglobal. Read up on it http://php.net/manual/en/language.variables.superglobals.php and compare their syntax with what you have. — Funk Forty Niner, Feb 25 '16 at 15:13
oh so now you went and edited that. did you start the session? — Funk Forty Niner, Feb 25 '16 at 15:14
*"I need to introduce session_start(); in any page or just in index.php?"* - why not start with the manual http://php.net/manual/en/function.session-start.php - it speaks for itself. — Funk Forty Niner, Feb 25 '16 at 15:15
I'm asking this because I notices that, if I comment the string: session_start(); in other pages I didn't receive any error and I could navigate site the same... — Francesco L., Feb 25 '16 at 15:18
*"I didn't receive any error"* - you didn't get an error because your system's either not setup to catch those, or you didn't use error reporting. http://php.net/manual/en/function.error-reporting.php — Funk Forty Niner, Feb 25 '16 at 15:18
@Rossco which is a good practice to save user connection (to navigate the site) without using $_SESSION variables? — Francesco L., Feb 25 '16 at 15:23
@andre3wap why are you trying to set OP's code back to `$_Session` in an edit http://stackoverflow.com/review/suggested-edits/11406182 are you mad? Edit rejected. Please don't do that. — Funk Forty Niner, Feb 25 '16 at 15:29
and @Alexei you're no better, approving the edit http://stackoverflow.com/review/suggested-edits/11406182 don't you know what a superglobal is? or php for that matter. — Funk Forty Niner, Feb 25 '16 at 15:30
ok, I give up. let the edit go, I'm done here. *ciao tutti!!* — Funk Forty Niner, Feb 25 '16 at 15:45
@andre3wap Let's call it a *"Communication Breakdown"* then. Great Zeppelin song though ;-) — Funk Forty Niner, Feb 25 '16 at 16:29

score 2 · Answer 1 · edited Feb 25 '16 at 15:18

2

You must add session_start() in every single page where you use $_SESSION. It expires when you leave the site.

edited Feb 25 '16 at 15:18

Phiter

14,570
14
50
84

answered Feb 25 '16 at 15:14

xpytlosz

21
1

I'm asking this because I notices that, if I comment the string: session_start(); in other pages I didn't receive any error and I could navigate site the same... without errors. About the second answer, when you say: It's expires when you leave the site, you mean log off? thanks! – Francesco L. Feb 25 '16 at 15:20
*"It expires when you leave the site."* - You mean "when you close the browser" or when the session time/session life runs out or has been destroyed. – Funk Forty Niner Feb 25 '16 at 15:26
@FrancescoL. I've answered that in 2 ways ^ – Funk Forty Niner Feb 25 '16 at 15:28
Perfect, I would know this properly: "when the session time/session life runs out". How can I determinate this time? If I log the site and (without click on logout button) I re-enter in the site 2 hours later, those session variables has been destroyed? – Francesco L. Feb 25 '16 at 15:31
@FrancescoL. that's up to the answerer to take it from here. seeing they already got an upvote for their answer, I'd only be a 3rd wheel here ;-) – Funk Forty Niner Feb 25 '16 at 15:32
1

seems we're not getting much *"after-sales service"* here, huh? – Funk Forty Niner Feb 25 '16 at 15:35
Sorry @Fred-ii-... I don't know what is happening... you wrote: andre3wap, Alexei, downvote... I dont undestand nothing. I was just asking some to perform my site :( – Francesco L. Feb 25 '16 at 15:37
@FrancescoL. andre3wap is wanting to edit your question's code in a suggested edit http://stackoverflow.com/review/suggested-edits/11406182 where it should be refused. One person approved it, and I have no idea why. I and someone else refused it. It clearly would change your code/question in a bad way. Not too "molto bene" ;-) – Funk Forty Niner Feb 25 '16 at 15:40
Ok, Now I understand. So thanks. Anyway I noticed that some php code has been removed from my post by someone! maybe is for this reason that I got -3 votes. – Francesco L. Feb 25 '16 at 15:44
@FrancescoL. just goes to show how some think they're doing good, but do more harm than anything. *c'è troppo confusione per io*. - *sigh*. Gotta go, *ciao* – Funk Forty Niner Feb 25 '16 at 15:50
thanks @Fred-ii- for your reply and support. According to you is a good practice to do so in any page of my php site? if(isset($_SESSION['user']) && isset($_SESSION['user'])!="" && isset($_SESSION['psw']) && isset($_SESSION['psw'])!=""{ // show page site } else // go to index.php ?> – Francesco L. Feb 25 '16 at 15:52

Xorifelse · Accepted Answer · 2016-02-25T16:26:14.303

0

Don't store a password in a session, without changing the session handler data in a session is stored as plain text outside of the web root. This means anyone that has access to the system can read session data.

The method of knowing if a valid login occured is: $sql = "select id where username = 'username' and password = 'hashedpassword'"

If an id is returned it means the user successfully logged in and store that ID in a session. Then validate if the session continues if the ID is set. Keep in mind that after raising privileges it is recommend to change the session id as well, that can be done with session_regenerate_id() this to add protection for session fixation attacks.

At the beginning of each script when trying to read data from a session use session_start() and session_destroy() to remove all data stored in that session (usually a logout)

edited Feb 25 '16 at 16:26

answered Feb 25 '16 at 16:01

Xorifelse

7,878
1
27
38

Thanks for you support @Xorifelse! What do you think about this in any page of my site? if(isset($_SESSION['user']) && isset($_SESSION['user'])!="" && isset($_SESSION['psw']) && isset($_SESSION['psw'])!=""{ // show page site } else // go to index.php ?> It is correct to do this? – Francesco L. Feb 25 '16 at 16:06
It is not, `isset($varname)` returns true if the variable is `not null` you cannot compare it with a string `isset($_SESSION['user'])!=""` as this will always fail. – Xorifelse Feb 25 '16 at 16:09
Well, so you mean to check only this: if( isset($_SESSION['id'])) is true show the page, else return to index. Without saving username and password. Right? – Francesco L. Feb 25 '16 at 16:12
Yes, you understand it correctly. Just `if(isset($_SESSION['id'])){/* code here */}` would suffice. However you can also store a username in a session if you so prefer. However the ID is usefull for database table joins. – Xorifelse Feb 25 '16 at 16:13
Thanks! Another thing that I answered is: when this $_SESSION['iduser'] expires. If I log in in my site and I don't click on logout button, how many hours later this variable will be destroyed? – Francesco L. Feb 25 '16 at 16:16
That can be set in the [php.ini](http://stackoverflow.com/questions/3476538/php-sessions-timing-out-too-quickly) – Xorifelse Feb 25 '16 at 16:18
Could this solution better? if ((isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > 1800)) && $_SESSION['iduser']!=NULL) { // last request was more than 30 minutes ago session_unset(); session_destroy(); // destroy session data in storage } $_SESSION['LAST_ACTIVITY'] = time(); // update last activity time stamp And put this code at the top of any page of the site? (took from here: http://stackoverflow.com/questions/520237/how-do-i-expire-a-php-session-after-30-minutes) – Francesco L. Feb 26 '16 at 08:28
Essentially, it's the same method I personally use, it offers for more flexible code. You could also add-in cookie code so that the user can set to set his own no activity time at login. But its all about what would suffice your needs. – Xorifelse Feb 26 '16 at 23:28

score 0 · Answer 3 · edited May 23 '17 at 10:28

If I introduce at the top of any page the following script, could be a good solution? Or there's something wrong?

if ((isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > 1800)) || $_SESSION['iduser']==NULL) { 

// last request was more than 30 minutes ago 
session_unset(); 
session_destroy(); // destroy session data in storage 
echo "<script>location.href='index.php'</script>"; //redirect the user to index page
} 

$_SESSION['LAST_ACTIVITY'] = time(); // update last activity time stamp 
/* Code for the rest of my page HTML*/

(took from here: How do I expire a PHP session after 30 minutes?)

Handle $_SESSION through pages in a php site

3 Answers3