Learning sessions, a few questions

[spetsacdc]

Hello, I'm trying to make a simple site where users can login securely using sessions.

 

I want to have a menu bar at the top of the page that displays a login box when you are not logged in and your username when you are logged in.

 

I am trying to plan the best/most efficient way to do this. Could someone explain how this is usually done? I am confused about where I need to include the sessions.php file. I am also not confident how to change the top of the webpage depending on if they are logged in.

 

For security I want to change the session id for the person on each page change and also compare the user-agent. Do I store these in mysql?

 

I haven't found a really good tutorial for this, but I'm looking at

 

http://xqus.com/archives/2004/10/19/secure-php-sessions/

 

Any tips at where to get started would be great.

 

Thanks

 

[revraz]

No reason to change a users session id.

 

In regards to changing your menu, you can do a simple $_SESSION['uname'] when they log in, and check that value and adjust your menu accordingly.

 

This is one of my side bars

 

<ul>
  <li class="currentlink">Home >></li>
  <li><a class="navlinks"  href="reservations.php">Reservations</a></li>
  <li><a class="navlinks"  href="news.php">News</a></li>
  <li><a class="navlinks"  href="faq.php">FAQ</a></li>
  <li><a class="navlinks"  href="links.php">Links</a></li>
<li><a class="navlinks"  href="register.php">Register</a></li>
<?php
if ($_SESSION['auth']==1)	{
 ?>
<li><a class="navlinks"  href="logout.php">Logout</a></li>
<?php 
}
else	{
?>
<li><a class="navlinks"  href="login.php">Login</a></li>
<?php
}
?>
<?php
if ($_SESSION['role'] == "admin") {
?>
<li><a class="navlinks"  href="admin.php">Admin</a></li>
<?php
}
?>

</ul>

[spetsacdc]

Thanks. That is actually what I did, but I didn't know if that was secure/the general way of doing it.

 

Now, do you have a sessions.php file that is included on every page? Is that where you place session start?

 

So is this website wrong about changing the session key: http://xqus.com/archives/2004/10/19/secure-php-sessions/

 

"Changing the session key

This is important, in my oppinion you should change the session key for each new request the user makes. If a someone should get the hold of a session key, most likely it will be expired."

 

I am trying to protect against session stealing, but I don't understand it too well.

 

Thanks again

[mlin]

 

if (!isset($_SESSION['valid'])) {

    session_regenerate_id(true);

    $_SESSION['valid'] = true;

}

[spetsacdc]

what does that do?

[revraz]

I don't have a seperate sessions.php file, I just have session_start(); at the top of every page I have.

 

And honestly, if sessions get deleted off the server in a timely manner, I wouldn't even worry about it.

 

 

Now, do you have a sessions.php file that is included on every page? Is that where you place session start?

 

[rameshfaj]

Use session to store the data like user login or set some variables and when user wants to access other pages without login then compare the session values.

This will allow u to prevent users from accessing pages without logging in.

[monkeybidz]

I would try including session to header where header is always available to most pages and will not drop the session unless dictated by script.

[spetsacdc]

I think I have this set up pretty well. Is there anything I should do to prevent session stealing?

 

Thanks