Home/ Questions/Q 949551
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-15T23:25:12+00:00

I have a session that I gave to users that has matching password =

  • 0

I have a session that I gave to users that has matching password = stored password, like a simple login system :

// Checks Password and Username
if ($pSys->checkPassword($AccountData['password'], $StoredData['password'])) {
    $_SESSION['login'] = true;
}

The question is: is this secure enough?

// put this on every header page that needs to be loggedin.
function loginCheck(){
    if ( empty( $_SESSION['login'] )) {
        header( 'location:index.php' );
        die();
    }
}

Is there a difference between die() and exit()? Second, some say that I should add session_regenerate_id()? (Is that an overkill?) Anyway the real question is said above.

addon*

I have read PHP Session Security but it seems it doesn’t match my problem here (that link is just to general).

Here is the checkPassword() method

function checkPassword($password, $storedpassword) {
    if($password == $storedpassword){
        return true;            
    }
}
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Answering the first part: empty and die are not comparable:

    • empty is to check if a variable does not exists or has a value equal to false (see also this type comparison table).
    • die is an alias of exit and is used to immediately abort the execution of the current script with an optional message.

    Now to your authentication example: Yes, you should use session_regenerate_id to generate a new session ID and revoke the old session ID by setting the optional parameter for session_regenerate_id to true:

    if (!sizeof($ErrorAccount)) { // Checks Password and Username
    session_regenerate_id(true);
    $_SESSION['login'] = true;
}

    The purpose of session_regenerate_id is to avoid session fixation attacks. This will not be necessary if the server only allows session ids to be sent via cookies, but since PHP by default allows them in URL, you’re strongly recommended to regenerate the id.

    • 0