Home/ Questions/Q 6882247
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-27T05:13:48+00:00

I used $_SESSION[‘name’] to handle data from page to page. I mainly used it

  • 0

I used $_SESSION[‘name’] to handle data from page to page. I mainly used it to keep the user logged in between pages. Within every page, i check if $_SESSION[logged_in’] is true or not. If true, keep user logged in. Otherwise, do something else.

This is how i handle my sessions – basic sample:

<?php

session_start();

if($_SESSION['logged_in'])
{
   //show control panel list
}
else
{
     //show login box. Once user logs in. Once user logs in,
     //fetch userID, username, etc from database. Also set 
     //$_SESSION['logged_in'] = true.
}

?>

Somewhere in between codes i do the following:

SELECT * FROM User WHERE userID = $_SESSION['userID'];

I’m not sure if $_SESSION[‘userID’] would be accessible by users or not. If its accessible, then the page would be in threat because a user could change the userID manually and get access to others account he/she desires.

I’m not much into security. Please advice! What can i do?

Note: i’m trying to make code as simple as possible. For now, no oop is involved.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    That’s pretty good, here are a few other tips for session management:

    1. Do not accept session identifiers from GET/POST variables:
      Session identifiers in URL (query string, GET variables) or POST variables are not recommended as it simplifies this attack. It is easy to make links on forms which set GET/POST variables.

    2. Regenerate the SID on each request:
      In PHP use session_regenerate_id(). Every time a user’s access level changes, it is necessary to regenerate the session identifier. This means that although an attacker may trick a user into accepting a known SID, the SID will be invalid when the attacker attempts to re-use the SID.

    • 0