2

I am struggling with PHP login and user validation after they log on to the system. I know the basics but I'm not sure if I'm doing it right. I will try to explain it step by step.

  1. I have a form for user name and password.
  2. After users enter they login and password i'm using LDAP authentication to authorize them. And if authentication pass then i need to start new session.

  3. New session (and this is where i'm struggling).

    if ($validation->ldap_authentication())
{
   $session = new session();
   $session -> login($validation->getUsername(),     $validation->logedAs(), $validation->getSID());
   if($session->validate_login())
   {
       exit(header('Location:index2.php'));
   }
   else
   {
       echo 'error';
   }
}

And my session class:

class session
{
    public function __construct()
    {   
     if(!isset($_SESSION)) 
    { 
        session_name(SESSIONNAME);
        ob_start();
        session_start();       
    } else {
        session_regenerate_id(true) ;
    }
}

    public function login($sessionUserName, $logedAs, $sid)
    {
        $_SESSION['logedUserName'] = isset($sessionUserName) ? $sessionUserName : null;
        $_SESSION['logedAs'] = isset($logedAs) ? $logedAs : null;
        $_SESSION['sid'] = isset($sid) ? $sid : null;
    }


    public function validate_login()
    {
        if (!isset($_SESSION['logedUserName']) || (trim($_SESSION['logedUserName']) == '') ||
               !isset($_SESSION['logedAs']) || (trim($_SESSION['logedAs']) == '')    ||
               !isset($_SESSION['sid']) || (trim($_SESSION['sid']) == '')         
                    )
        {
            return false;
        } else {
            return true;
        }

    }
}
  1. So in the another pages i need to start a class session (again) and validate validate_login()?
  2. For me it looks really poor authentication.

What do I need to add and improve?

I already searched online but couldn't find an answer and don't know what exactly I need to improve.

mfaani
  • 33,269
  • 19
  • 164
  • 293
user3686909
  • 45
  • 3
  • 1
    First: I dont get why you are doing `ob_start()` only when no session is set? Second `session_regenerate_id()` should only called once per request, your code do it on every new instance of `session` http://stackoverflow.com/questions/22965067/when-and-why-i-should-use-session-regenerate-id#22965580 – JustOnUnderMillions Feb 20 '17 at 15:29
  • I would suggest you to go through the concept of session once. All you need to do is to check whether session exists or not, if not redirect to login screen and if yes then redirect to index or wherever you want. You can add a check that if `$_SESSION['logedUserName']` is empty then login screen else go ahead. – Aatman Feb 20 '17 at 15:35
  • @JustOnUnderMillions so if i understand i need call `session_regenerate_id(true)` if validate_login is true? – user3686909 Feb 20 '17 at 15:43
  • Not really, you can use `session_regenerate_id(true)` to secure your session more, but it is not really needed. Read the QA int he Link above. – JustOnUnderMillions Feb 20 '17 at 15:57
  • @user3686909 Or better: If you use `session_regenerate_id(true) ;` the next page request gets a new session cookie with an new id. So the session can not be hacked. So you can do a `session_regenerate_id(true) ;` once per request, regardless if an user has logged in or not. Hope that makes that clear. – JustOnUnderMillions Feb 20 '17 at 16:00
  • @JustOnUnderMillions Ok thanks i will try to get more info about that. How is validation? is enough to check if session id's are isset? or i need to add more? I'm talking about validate_login() – user3686909 Feb 20 '17 at 16:29
  • `validate_login()` for that read the only anwser. basicly you need only one field in SESSION to check if the user is looged in. Bigger problem is something like idle time of an user. Lets say user logs in and does nothing for 2 hours and then clicks a link on page, is he still logged? Depends on your logic! And for the rest, plz open a new question then. Bye Read more herer: http://stackoverflow.com/questions/16889995/simple-login-session-php and google – JustOnUnderMillions Feb 20 '17 at 16:39

1 Answers1

0

I'm a beginer in PHP, so my answer might be worthless.

I think you can trust the variable stored in $_SESSION as only the server can access them. So you could have a boolean $_SESSION['loggedIn'] that let you know that the user have gone through the login process successfully, and this variable would be accessible from any page.

Sylvain
  • 417
  • 7
  • 16