0

I'm working on a login system for a site and just want to make sure that my actual login and logout core functions are correct.

To login I have:

session_start();
session_regenerate_id(true);
$_SESSION["user"] = $username;
$_SESSION["startTime"] = time();

Then later to logout I have 

unset($_SESSION["user"]);
unset($_SESSION["startTime"]);
session_destroy();

Is this correct or can this be improved in any way? And can someone clarify what session_regenerate_id(true) is really doing? I inherited it from some preexisting code.

Nick Chapman
  • 4,402
  • 1
  • 27
  • 41
  • `session_regenerate_id() will replace the current session id with a new one, and keep the current session information.`: You don't really need it there – Hanky Panky May 31 '14 at 18:12
  • You didn't tell us what functions you want from this login/logout system. Do you want an administration panel that allows someone to force logout a user? Do you want something like [Facebook](https://www.facebook.com/settings?tab=security&section=sessions&view), where a user can manage their currently logged in devices? Your method works for most cases, but it can be improved & should be if you require more features. – Dave Chen May 31 '14 at 18:14
  • @Hanky웃Panky, do I need to then `unset($_SESSION["id"]);` on the logout script? (keeping in mind that I have no idea if that code is correct. – Nick Chapman May 31 '14 at 18:15
  • Nope you only need to unset the values which you set in the first place when they logged in, and those values are the ones which are used for checking a valid login. All the other element you don't need to unset. – Hanky Panky May 31 '14 at 18:16
  • @DaveChen right now this is a super simple web app and I'm going for barebones functionality. Eventually I plan on improving the system with server side login tracking rather than session cookies. – Nick Chapman May 31 '14 at 18:16
  • do you have a 'remember me' login function that allows your users to be 'logged' in for days? if so, sessions are not the way to go. – Ryan Vincent May 31 '14 at 18:17
  • @NickChapman Consider reading [this](http://forums.phpfreaks.com/topic/179816-when-and-why-should-i-use-session-regenerate-id/?p=948637) for using session_regenerate_id. It doesn't make sense to change the id, once you already have set it. – Dave Chen May 31 '14 at 18:19
  • @RyanVincent I don't presently but I've considered it? What would I want to do? Update the logged_in column in a database to true and then save the person's IP address? When the person connects again if they're logged in and at that IP address sign them in. Or is there an easier clear cut solution to this? – Nick Chapman May 31 '14 at 18:23
  • No, you use a cookie to remember them , as well as stuff in the database, and use that to log them in... it is all explained here: [the-definitive-guide-to-form-based-website-authentication](http://stackoverflow.com/questions/549/the-definitive-guide-to-form-based-website-authentication) – Ryan Vincent May 31 '14 at 18:46

2 Answers2

1

1/You may not need this code in the login part:

session_regenerate_id(true);

For more info about it, please visit the PHP manual here: http://www.php.net/manual/en/function.session-regenerate-id.php

2/To log the user out, the session values will be reset, the session data will be destroyed on the server.

$_SESSION = array(); // Destroy the variables.
session_destroy(); // Destroy the session itself.

If you decide to change the session name later, this code will still be accurate.

Eric_ph
  • 128
  • 7
0

i dont really think you need to do unset($_SESSION["user"]); actually session_destroy() is enough . once you call session_destroy() thats enough and after calling it there will not be any $_SESSION["user"]

RbG
  • 3,181
  • 3
  • 32
  • 43