0

I am still new in session
Is it good to wipe $_SESSION before using it?

example:

$_SESSION         = array();
$_SESSION['id']   = 1;
$_SESSION['name'] = 'Someone';

I am asking opinion from you guys.
Because I don't have many experience in session.

In my awkward logic,
Maybe I will forgot to logout from admin session
and login to member session

So maybe some $_SESSION value from admin will still in $_SESSION array

Additional:
1. I was admin user and not logout yet from admin page.
2. Now I go from admin page to member login page

What should I do here?
Kick admin to the admin page because he is not member?

Scramble
  • 119
  • 9

1 Answers1

4

Nope. In fact, its really bad and your example code will render your sessions useless.

When you call session_start() you are either given an empty $_SESSION or you get back the data you saved to $_SESSION on a previous page load. For more information on sessions check out the PHP docs:

http://php.net/manual/en/book.session.php

http://php.net/manual/en/function.session-start.php

About logging in and out: Your logout process has to destroy whatever session data identifies the user (probably their ID). Typically this is done by using unset, i.e. unset($_SESSION['user_id']).

I can't imagine any other way to log out a user, maybe if you provided more information I could give you a better answer about this.

Regarding your addition it looks like your authentication system could use some work. You shouldn't be able to get to a login page when you are already logged in (even as admin, since its just another user with higher privileges, right?). If you manually type in the login url after you're logged in, then it should redirect you to the homepage.

Here's Fantastic write-up on this topic, I shoulda done some research! Thanks @HamZa

The definitive guide to form-based website authentication

And here's my super basic pseudo code auth process:

Does current page require authentication
    Yes:
        Is the user logged in?
            Yes:
                Does the user have the correct privilages to view the page?
                    Yes:
                        AUTHENTICATED! Show page
                    No:
                        Print a message that says something like, "You're in the wrong place amigo"
            No:
                Redirect to login
    No:
        Show the page
Community
  • 1
  • 1
The Maniac
  • 2,579
  • 3
  • 17
  • 29
  • btw, what wrong with my example code? Why can make my session useless? Okay I will try edit my question. – Scramble Jul 25 '14 at 02:44
  • By wiping session "before you use it" you lose all of the information that you saved. The purpose of a session variable is to save data across page loads – The Maniac Jul 25 '14 at 02:47
  • Already update my question. I delete it so when there is another user login the previous data in the session array will wipe by system. – Scramble Jul 25 '14 at 02:51
  • @Scramble you got it all wrong. "another user" == "another browser" == "another session cookie" == "another session". Do you follow? – HamZa Jul 25 '14 at 02:58
  • 1
    @TheManiac I guess that these 2 threads are some gems. I suggest reading them both. [The definitive guide to form based website authentication](http://stackoverflow.com/questions/549/the-definitive-guide-to-form-based-website-authentication) and [“Keep Me Logged In” - the best approach](http://stackoverflow.com/questions/1354999/keep-me-logged-in-the-best-approach). In the second thread there are some really nice answers with some code and math! – HamZa Jul 25 '14 at 03:02