Working with $_SESSION in a amfphp environment

[Jonob]

I have a flex application that uses mysql and php on the backend, which is run through an amfphp installation. Data is transferred between the database and the front end via amfphp. I have this all working 100%.

 

In this scenario, there are a number of php files, each of which contains one class (and each class has the same name as the file name). Within each class there are a number of functions.

 

I am now considering the security side of the app, and would like to implement $_SESSION variables. I have read up on how to work with sessions in PHP, but its been pretty difficult to try decipher how to implement it in a amfphp environment.

 

Am I even on the right track here?

 

1. Once a user has been logged in, you store 1 or more pieces of data in the $_SESSION variable, such as the user_id or user_name. So, something like this:

 

<?php
class login
{
  function do_login
  {
     session_start();
     session_unset();
     //Code to check if the login is correct
     //If login is valid then create the session
     if (!isset($_SESSION['userID'])) 
     {
          $_SESSION['userID'] = $userID;
     }     
   }
}
?>

 

2. On all subsequent service calls, I need to check

if(!isset($_SESSION['userID']))
{ 
   return "Error: Session not set";
}

 

Where does this check take place? After the opening <?php tag, inside the class, or at the start of each function?

 

Any other glaring errors or omissions?

 

Thanks for any tips that you can give.

[ngreenwood6]

The only problem that I see with the code with a quick glance is that you are using session_start() and then session_unset() right after that. The session start obviously starts the session but when you run the session_unset you are pretty much destroying the session. You don't want to run that until you want to get rid of the session. If you are trying to get rid of sessions before they login I suggest you put it above the session_start() or just remove it as it is not needed.