Session Usage

[verror]

So, Sessions are a pretty weak point for me and I just wanted to verify if there is any better method for using them than how I currently am.

 

At the moment this is how I am creating the Session after details have been input (this is only part of the class)

 public function Login() {
  $success = false;
  try{
  $con = new PDO( DB_DSN, DB_USERNAME, DB_PASSWORD ); 
  $con->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION );
  $sql = "SELECT * FROM admin WHERE username = :username AND password = :password LIMIT 1";
                       $user = username;

  $stmt = $con->prepare( $sql );
  $stmt->bindValue( "username", $this->username, PDO::PARAM_STR );
  $stmt->bindValue( "password", hash("sha256", $this->password . $this->salt), PDO::PARAM_STR );
  $stmt->execute();

  $valid = $stmt->fetchColumn();

  if( $valid ) {
  $success = true;
                       session_start();
                       session_regenerate_id();
                       $_SESSION['user'] = $user['user'];
                       session_write_close();
                       header("Location: /admin.php");
                       exit();

 

This is how I check the sessions on the secured page:

 

<?php
session_start();
if(!isset($_SESSION['user']) || (trim($_SESSION['user']) == '')) {
header("location: login.php");
   exit();
}
?>

 

And this is how I logout:

 

<?php   
session_start(); 
session_destroy(); 
header("location:/index.php"); 
exit();
?>

 

Is that a decent method, if not, how else should I go about doing it?

[Christian F.]

Other than the unnecessary call to session_write_close(), and the need to manually unset $_SESSSION on logout. I think that looks good.

You've remembered to regenerate the ID upon a successful login, which is the most important part. (Bar actually getting it to work, of course.)

[verror]

Thanks Christian.

What would be a better option for ending the session onlog out?