track sessions in PHP - am I doing it right?

Question

I am a first time php developer;

I track sessions this way:

session_start();
if (!isset($_SESSION['user']->iduser)) {
    die('Access denied. <br><a href=login.php>Please login</a>');
}

is that correct approach?

Answer 1

Your code makes it seem as though you're storing an entire object into a session-variable which would not be a great idea (could take up a lot of space, stores way too much data, is it even possible without serialize/unserialize?).

Also, if your user hasn't been authenticated yet your code would throw a warning because $_SESSION['user'] isn't set yet - so by checking for $_SESSION['user']->iduser, you'd be checking for a property/value on a null object. Your code should check if (isset($_SESSION['user'])) {, and then possibly validate on that.

I would recommend just storing the "essentials" in the session such as the user's ID/username and encrypted password. Then, during each page load you re-validate the information against the database. It's an extra query on each page-load, but it's worth it (in my opinion).

Answer 2

I think you're really asking this question:

Is it OK to identify a user by their unique ID in the session?

My Answer: Yes. This is frequently how it's done and will work fine in the session. I wouldn't do it this way using cookies, but in the server-side session storage it should be fine.