Handling session in real life

Question

I made a dummy website where I store some data in the session Storage and change features of the interface based on that. I know this is not secure at all, so I am curious how that is done in real life ?

Here is a snippet of my code so you can get an idea of what´s about. I am using PHP on the server side. Would it be the way to go with PHP $_SESSION in this scenario ?

function sessionUser() {


      // for ADMIN view 
      if ( sessionStorage.getItem( 'role' ) == "admin" ) {


          showWelcomeMessage();
          showAdminInterface();
          getProductData();
          getUserData();
          getSubscriberData();
      }

      // for USER view 
      if (sessionStorage.getItem( 'role' ) == "user" ) {

          showWelcomeMessage();
          showUserInterface();
          getProductData();
      }

  }

Uhm..... nnnno. You cannot access the browser html5 storage like that in php. — IncredibleHat, Feb 01 '18 at 16:05
@IncredibleHat I think they are saying would they use `$_SESSION` instead of session storage — Pete, Feb 01 '18 at 16:06
Do I need to access that, in order to do what I want to do ? I just need an alternative. — codeDragon, Feb 01 '18 at 16:07
I would go with the php session but make sure it's secured: https://stackoverflow.com/questions/5081025/php-session-fixation-hijacking — Pete, Feb 01 '18 at 16:07
The article @Pete linked is a good one to clamp down the php sessions. Its a real solid start. If your site will be SSL'd (https), then forcing the session cookie to `secure` and `httponly` is something you should do too. — IncredibleHat, Feb 01 '18 at 16:14

score 0 · Answer 1 · answered Feb 01 '18 at 16:24

If you would like to use PHP in this scenario - you could use analogically $_SESSION['role'] to sessionStorage.getItem('role') but in PHP script on server side. Depending on the session value in PHP you can process the template you want to show to the user or by plain PHP or by using one the existing template engines like Twig or Blade. Or if you would like to send just API data to the user instead of the whole templates you can do that as well by conditioning the data by values stored in $_SESSION variable. There is no really too much difference - the most important difference is that noone can easily see values of session stored on the server side (unless someone did not stole your cookies, which are used to identify sessions with browsers, and pretended to be you), so on server side session you can store more confidential data including tokens. Other differences are in lifetime and expiration triggers.

Handling session in real life

1 Answers1