Home/ Questions/Q 6357629
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-24T23:12:12+00:00

I am trying to create a log in system in php. I have 3

  • 0

I am trying to create a log in system in php. I have 3 files. index.php, login.class.php (defines Login class), securePage.php.

Login class has different functions such as getUserName(), addUser(), etc.

index.php creates a new $login object, has a log in form and create a new account form.

When you create an account on the index.php page,
$login->addUser($username, $password, $first_name, $last_name, $email); function executes which creates a new account.

After you log in and hit submit, the script checks your username/password/etc and redirects you to securePage.php.

After I redirect to securePage.php from the login.class.php, I am not sure what’s the best way to check if the user has logged in correctly and have all the user’s information handy.

Right now my securePage.php creates a new login object
$login = new Login; and checks if the user has access to the page by calling checkAccess within the Login class.

// Check if the user has access to this page, otherwise redirect to login page

if($login->checkAccess()) {
   //blah blah blah
}

This is how checkAccess function looks inside Login Class

public function checkAccess() {

    // check the session access
    if(isset($_SESSION['username']) ) {
        //
        return true;
    }

}

I feel this is bad implementation because
a) I create a brand new login object and lose my data
b) I only check if the session is secure by checking if session’s username is set which can be probably faked.

What’s the best way to implement securePage.php in terms of still having all the user data and checking if the user is logged in?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Session data is server side data — it can only be faked through manually guessing PHPSESSIONID (You can read up on that here).

    The way that this is normally handled is one of two ways. If HTTP Authentication is being used (which has some major benefits, BTW), then basically every time a secure transaction needs to occur, the UN/PW have to be tested. On the other hand, if the server is storing the value (say in $_SESSION or some other framework equivalent), then the server already has the data and there is no point in re-querying.

    If you have implemented the methods __sleep and __wakeup properly, you can simply store the entire login object in $_SESSION, which would generally be my preference.

    • 0