Session check PHP

Question

I'm attempting to implement basic session handling as follows:

PHP File 1 - login after various checks for the user and password etc in database I would like to give this user a session

<?php
...    
session_start(); 

PHP File 2 - before executing any logic in file 2 I would like to see if a valid session exists for the session that I believe would exist in the request PHPSESSID header?

<?php

$sessionID = session_id();    

if ($sessionID === '') {        
    echo 'no session found';
} else {
    echo 'session found.';
}    

I have attempted to start a new session in PHP file 2 which will return a value but the problem I have then is that if someone remotely attempts to execute a php file on my server, example https://example.com/folder1/php/loaddata.php they will simply be given a new session I and be allowed to execute the file.

Answer 1

So based on responses from @deceze, @Difster and @blackcat I have implemented the following:

login.php

//start a session
session_start(); 
//add some session data
$_SESSION["logged_in"] = true;                                                       
$_SESSION["user"] = $userName;
session_commit();

stuff.php

session_start();

if ((isset($_SESSION["user"])) && (isset($_SESSION["logged_in"]))) {        
    echo ('You shall pass:'.$_SESSION["user"]);        
    //stuff.php logic can start
} else {        
    header('HTTP/1.0 401 Unauthorized');
    exit;        
} 

Answer 2

This is a simplified explanation of the default php session mechanism:

When you start a session with session_start(); a unique session ID is generated and sent to the client via session cookie, so the next time that user comes to your website he can retrieve his session data (that is stored in a file on the server) with the session ID that was sent to him in a cookie.

That is done by comparing the session ID in the cookie and the name of the file that stores session data which has that ID in it's name.

To ensure that only a certain user can access some area of your website, you need to store a unique value in the $_SESSION global variable, for example:

<?php 
    session_start();

    if (!isset($_SESSION["user"]) || $_SESSION["user"] !== 'someValue'){
          echo 'not allowed';
    } else {
          echo 'allowed';   
    }

This is really a basic example, to make it more secure you need to do a lot more. You need to protect against CSRF, session hijacking/session fixation, you need to set_session_cookie_params() to allow only http cookies so that they cannot be altered with javascript. And in the end all this can be exploited if you are not using https, if you are be sure to set_session_cookie_params() to allow only secure connections (only over https).

Answer 3

You need to add session_start() under the <?php tag on file 2 also otherwise it doesn't know about the session variables, etc.

It can be confusing though because you're not actually starting a new session, you're just continuing the existing one.

Let's clarify this more. Sessions themselves are not for authentication, they are more like a vehicle that makes it easier to track authentication across multiple web pages on the same site. Always check authentication against a user database. That being said, once a user is logged on successfully, you can do something like, $_SESSION['logged_in'] = true And that session variable is only going to apply to the user that is logged in. Then on the pages that required being logged in, you test to see if that session variable is set before loading the page, otherwise, redirect to a log in screen or whatever you wish. Does that clear things up?

Answer 4

The mere presence of a session doesn't mean much. You have to start a session before you can get the session id. PHP's default session handling doesn't really allow you fine grained control between starting a session and resuming an existing session; so any time you call session_start, which is necessary to get "the current" session id, a session will be started. This is no effective way to determine whether somebody is logged in.

But, in a login system you usually need to know who is logged in anyway, so you need to store a value in the session that indicates who the user is. Simply check for the existence/correctness of that value to determine logged-inness:

session_start();

if (empty($_SESSION['user'])) {
    header('HTTP/1.0 401 Unauthorized');
    exit;
}