PHP Tutorial: Learn about PHP SESSION and why it is not safe to use only SESSION on the login page.

I saw many developers using only Sessions in the login system, it should never be done in big and important applications. Let’s first get familiar with php session.

 

PHP SESSION:

When you open any software on a computer and the software is ready to shut down all the activities, like a session, the computer knows when the software is open, when closed, etc. But PHP will not store such information directly on server RAM, so that there is a lack of PHP Session. This means that there is a chance to use some information that can be used in conjunction with the changes. Here the information is stored in a file and later the file is deleted.

 

How PHP SESSION works:

When a PHP session is registered, a file is created on the server to save the information and is created with a unique session id which is stored in the browser cookies. Generally, the file is created in a server temporary directory, so that the auto-mattecle will delete the server after some time. The server uses the session id to print the information stored in the file.

 

What is PHP SESSION useful?

Suppose you want to transfer any data from one page to another page in PHP. That is where it is needed. Basically it is used to save information. This is a way to store information without using the database. The database takes time to save the data stored in PHP, but it can be used in a boring and hassle-free way to save data on small data or for a short time to be stored on a data database.

 

How to use:

First of all, you should tell the server to start a session with a session that will create a session file. The server will create a file with a new and unique one. Our work will be done then save the data:

<?php
session_start();
$_SESSION["username"] = "greenweb"; ?>

 

Here is the username, its greenweb is the information that we want to save. Next time the user name will be asked to show it greenweb.

 

How to show data?

Now on the page where we want to show the saved data on our page, we have to start the session again.

 

<?php
session_start();
echo $_SESSION["username"];
?>


 

When the above code will be executed greenweb will appear.

 

How to End Session:

If you want to stop a single session by using the unset () function you can do the following.

 

<?php
session_start();
unset($_SESSION["username"]);
?>


If you want to:

<?php
session_start();
session_unset();
?>

This will only erase the data but it will go from the file. If you want to delete the file then:

<?php
session_start();
// terminate the session
session_destroy();
?>

Why not create secure login system using SESSION only?

 

Although the php session is a safe bet, it is not safe to use the session only on the server’s security or slow application logging system for big applications.

That directory may not be secure in the directory in which the data is stored.
When a session is open and session closures are done well, if the opening request is pending after the close closure, then a third session may be created in this case. It is seen in a system that provides a bugs and a lot of information. The problem that is to be found is that another user has logged into another user’s account automatically.
The possibility of session hijacking is in this case.
The session may not be locked properly so auto can be logged.
To solve the problem of 1-3, you must save data by creating a database table with the session. For example: whenever a user logs in, there will be a random data entry in the database and the data will be stored on the session as well as the user who generated that data, it should be stored in the id database and should be checked that the user is using the session. The problem of 2 is not the least likely to be in small applications, but the big applications that many users work every day may be.

 

To resolve the problem of 3-4, you need to create a time-out system. Automatically delete the data generated by it if the user is inactive for a specific time. It can be done using code like:

 

<?php
session_start();
$inactive = 600;

if (isset($_SESSION["timeout"])) {

    $sessionTTL = time() - $_SESSION["timeout"];
    if ($sessionTTL > $inactive) {
        session_destroy();
        header("Location: /logout.php");
    }
}

$_SESSION["timeout"] = time();?>

Also, the session data stored in the felder must be secure.

 

You can create a secure login system by combining SESSION and Database. Where security is important, there should be no scope.

 

Updated: April 25, 2019 — 10:37 pm

Leave a Reply

Your email address will not be published. Required fields are marked *