For my custom framework I let users log in and set a session as follows:
<?PHP
session_start();
// bunch of code
if (isset($_SESSION['id') {
// check time and regenerate session id every 10 minutes
// session_regenerate_id(true);
}
// some more code
if (isset($_POST['login']) {
// check if login is valid, when it is:
$_SESSION['user_id'] = getUserData('id');
$_SESSION['user_name'] = getUserData('name');
$_SESSION['user_is_admin'] = getUserData('admin'); // filled with 0 or 1
}
Everything is stored in a database with the passwords hashed in BCRYPT. On top of this I force SSL so users can't reach the website through ordinary http.
Is this method safe? If not; what are the security flaws and what can I do to make this more secure?