0

I am beginner in web development and i am creating my first project. I am using XAMPP, for my php files. I have basically created app.php, sigin.php. So in order to prevent user from directly access my app.php i am using session variables in php. Hence i added the following PHP code just before my app.php.

<?php
    session_start();

    if(!isset($_SESSION['loginstatus'])) {
        header('location:./login.php');
        die();
    }
?>

And i am setting my session variables in my signin.php like the following:

if($user['username'] == $username && $user['password'] == $password) {
        $_SESSION['username'] = $username;
        $_SESSION['loginstatus'] = 'success';

        echo "success!";

        header('location:../app.php');
 }

Now i tried accessing my app.php without login, i am still able to access app.php. To check where is the issue i cleared my browser history and cookies, then i tried accessing app.php, then surprisingly it worked i was actually redirected to login page, but as soon as i do first succesfull login, and logout and again try to access app.php without login, i was again able to access app.php without login.

Now for some reason i feel that my browser is saving session variables too, So to check that i wrote a small piece of code and pasted in my app.php:

<?php
    var_dump($_SESSION['loginstatus']);
?>

after first successful login my $_SESSION['loginstatus'] is always set to successful. Now as i said i am a beginner, what i learnt is session are stored in server side. So i am totally confused regarding this.

Ayush Mishra
  • 267
  • 3
  • 14
  • **WARNING**: Writing an access control layer is not easy and there are many opportunities to get it severely wrong. Any modern [development framework](https://www.cloudways.com/blog/best-php-frameworks/) like [Laravel](http://laravel.com/) comes with an [authentication system](https://laravel.com/docs/master/authentication) built-in, and there are [authentication libraries](http://phprbac.net/) you can use. At the absolute least follow [recommended security best practices](http://www.phptherightway.com/#security) and **never store passwords as plain-text** or a weak hash like **SHA1 or MD5**. – tadman May 14 '20 at 18:45
  • Once set, unless you explicitly clear your session or otherwise change that value it will stay set. `$_SESSION` should be bound to a cookie, so if you cleared them it *should* be gone, but perhaps you didn't clear out the right ones. – tadman May 14 '20 at 18:46
  • @tadman where to clear the session, i am doing session_destroy() in logout.php file. – Ayush Mishra May 14 '20 at 18:49
  • 1
    If this is just academic code for learning then you've got a lot of learning to do so I hope you're ready for that. If instead your goal is to make a production site then this is the wrong way to go about doing it, you're making huge mistakes here that must be avoided. If you want to learn about how to implement an authentication system start by studying how others work, and of course [learn about the threats you need to protect against](https://owasp.org/www-project-cheat-sheets/). – tadman May 14 '20 at 18:49
  • I am just doing it for learning purpose, not for production, or any serious development. – Ayush Mishra May 14 '20 at 18:50

2 Answers2

1

There is a cookie in your webbrowser "phpsessid" wich stores the id of the Session on the server. In normal cases you destroy the Session, at logout.

session_unset(); to unset all session variables

session_destroy(); destroys the session

The Session will timeout after time X. You can change it, described here -> Link

So if you have a cookie in your Browser with a valid id of a not-timeouted Session you will always be able to log in.

tboom
  • 106
  • 3
0

So basically, going to browser setting > privacy and security > more > pre-load pages for faster browsing and searching

I just disabled this default setting from chrome, and it started working as expected.

Ayush Mishra
  • 267
  • 3
  • 14