I write this session helper class to use it inside my projects for managing the $_SESSION variables setup after an user login or logout. It's very simple and after some tests it seems to work smoothly and fine.
The class doesn't have a constructor, this because the needed parameters that are the username and the user id are passed directly to the setSession method.
The sessionCode method is instead only a code who is used to check if the user is logged in or not, this to limit the access to certain pages if needed.
<?php
namespace library;
class SessionHelper{
private $username;
private $id;
private $ip;
public function setSession(string $email,int $id){
session_regenerate_id();
$_SESSION['session_code'] = $this->sessionCode();
$_SESSION['user_ip'] = $_SERVER['REMOTE_ADDR'];
$_SESSION['user_id'] = $id;
$_SESSION['username'] = $email;
return true;
}
public function sessionStatus(){
if(isset($_SESSION['session_code'])){
if(hash_equals($_SESSION['session_code'], $this->sessionCode())){
return true;
} else {
return false;
}
}
}
public function unsetSession(){
session_unset();
session_destroy();
return true;
}
private function sessionCode(){
return hash('sha256', session_id());
}
}
?>
USAGE EXAMPLE AFTER A LOGIN SCRIPT:
<?php
require_once 'SessionHelper.php';
use library\SessionHelper as SessionHelper;
$session = new SessionHelper;
$session->setSession('user1', '4');
?>
USAGE ON RESTRICTED ACCESS PAGES
<?php
session_start();
require_once 'library/Autoloader.php';
use library\SessionHelper as SessionHelper;
$session = new SessionHelper;
if($session->sessionStatus() != true){
header('Location: index');
die();
}
?>
1 Answer 1
This is not a SessionHelper but a UserSessionHelper in the first place. A session is a container that could contain anything, not only user credentials. A shopping cart items for example. Therefore you have to either extend its functionality or at least rename a class.
In 2018 you are obligatory supposed to utilize a PSR-4: Autoloader so not to include your class definitions manually.
What is most important, I don't see any getSession() method. Are you checking $_SESSION array directly? If so, that makes you class essentially incomplete. When writing OOP, you must encapsulate the full functionality, leaving something outside just makes no sense.
Given there is no constructor, consider using static methods, it will save you the very absent constructor call.
-
\$\begingroup\$ ok, so how do you will implement the getSession() method? \$\endgroup\$user9741470– user97414702018年07月03日 13:11:27 +00:00Commented Jul 3, 2018 at 13:11
-
3\$\begingroup\$ You have working code, so you will already have implemented something similar to the proposed getSession() method. All you have to do is to bring it within the confines of your helper class. \$\endgroup\$KIKO Software– KIKO Software2018年07月03日 14:23:27 +00:00Commented Jul 3, 2018 at 14:23
session_regenerate_id()here? I also can't see how you're using the session code in a safe manner. You must be accessing$_SESSIONoutside this helper class, which defeats the point of having this class. The idea behind classes is that they abstract things for you. So it shouldn't matter whether you use$_SESSIONto implement this class, or something else, you can always use it in the same way. \$\endgroup\$session_regenerate_id()does, and when you use it, but why do you need to regenerate the session id after a successful login? I don't see the point of that. No, I don't have a suggestion about the session code, but I would like to see how it's being used by you. \$\endgroup\$if(!isset($_SESSION['session_code']))..so it will be only a check. I'm thinking to implement this control inside a class method \$\endgroup\$user_logged_in. \$\endgroup\$