CODEWITHSUNDEEP
phpsessioncookiessession-variables
Avicinnian
Avicinnian

Reputation: 1830

How to (if possible) set and unset session variables/ stop session cookie overwriting?

For background, here's my scenario:

I'm building a self-hosted platform for a particular niche, and part of that platform is the login process, which if validated sets a session for the user. On every administration page load, the session is started and the variable $_SESSION['key'] checked to see if it's true.

If it's false, the user is re-directed to the login page with an error telling them to login again.

The problem is this is dependant on a session cookie being set or not set, in the sense that when the session cookie expires and the session is started with session_start() to check $_SESSION['key'], therefore creating a new session cookie with default values (I use session_set_cookie_params() to alter the path, timeout etc) making it impossible to re-login as session cookies do not overwrite from what I can see.

In order to fix this I've thought about using something like session_set_cookie_params(5, ..) before session_start() when checking $_SESSION['key'], which will create a 5 second session cookie, therefore allowing a new one to be created when re-logging in, but I'm not sure whether this would work - and I'm also sure there must be a more efficient way to set/unset a session variable?

Here's my code:

Start session if validated login

if($validated){
    session_set_cookie_params(1800, "/inst", $server_name['home']); 
    session_name("_inst");
    session_start();
    $_SESSION['key'] = true;
}

Check if $_SESSION['key'] is still true

session_name("_inst");
session_start();

if(!$_SESSION['key']) {
    header('Location: ' . $server['home'] . '/login/?error=1');
}

Any answers or advice would be great, and please do ask if you need clarification on anything!

Upvotes: 0

Views: 2525

Answers (1)

Marc B
Marc B

Reputation: 360562

Just issue a session_start() on all pages. This'll unconditionally create a session for you, then you can check for the presence/abscence of the key:

<?php

session_start();

if (!isset($_SESSSION['key'])) { // never logged in, or were logged in and got logged out
   ... redirect to login ...
   exit();
}

if ($_SESSION['key'] != 'expected value') { // logged in, but no longer a valid login.
   ... redirect to login ...
   exit();
}

You shouldn't have to mess with the session cookie settings at all. Leave them at default and simply check for the relevant key(s). if they're not there, then the user is not logged in and should be redirected.

If their session had expired and PHP cleaned up the session file, then they've been effectively logged out, even though they have a it-was-valid-at-one-point-in-time session key, and should get redirected to login again.

Upvotes: 2

Related Questions