1
\$\begingroup\$

I write this session helper class to use it inside my projects for managing the $_SESSION variables setup after an user login or logout. It's very simple and after some tests it seems to work smoothly and fine.

The class doesn't have a constructor, this because the needed parameters that are the username and the user id are passed directly to the setSession method.

The sessionCode method is instead only a code who is used to check if the user is logged in or not, this to limit the access to certain pages if needed. 

<?php
namespace library;

class SessionHelper{

private $username;
private $id;
private $ip;

public function setSession(string $email,int $id){
    session_regenerate_id();
    $_SESSION['session_code'] = $this->sessionCode();
    $_SESSION['user_ip'] = $_SERVER['REMOTE_ADDR'];
    $_SESSION['user_id'] = $id;
    $_SESSION['username'] = $email;

    return true;
}

public function sessionStatus(){
    if(isset($_SESSION['session_code'])){
        if(hash_equals($_SESSION['session_code'], $this->sessionCode())){
          return true;
        } else {
          return false;
        }
    }    
}

public function unsetSession(){
    session_unset();
    session_destroy();
    return true;
}

private function sessionCode(){
    return hash('sha256', session_id());
}

}

?>

USAGE EXAMPLE AFTER A LOGIN SCRIPT:

<?php
require_once 'SessionHelper.php';

use library\SessionHelper as SessionHelper;

$session = new SessionHelper;

$session->setSession('user1', '4');

?>

USAGE ON RESTRICTED ACCESS PAGES

<?php
session_start();

require_once 'library/Autoloader.php';

use library\SessionHelper as SessionHelper;

$session = new SessionHelper;

if($session->sessionStatus() != true){
  header('Location: index');
  die();
}
?>
\$\endgroup\$
5
  • 1
    \$\begingroup\$ What's the point of session_regenerate_id() here? I also can't see how you're using the session code in a safe manner. You must be accessing $_SESSION outside this helper class, which defeats the point of having this class. The idea behind classes is that they abstract things for you. So it shouldn't matter whether you use $_SESSION to implement this class, or something else, you can always use it in the same way. \$\endgroup\$ Commented Jul 3, 2018 at 12:28
  • \$\begingroup\$ the regenerate id is used to regenerate the session id after a successful login. Do you have suggestion about session code? \$\endgroup\$ Commented Jul 3, 2018 at 13:01
  • \$\begingroup\$ I know what session_regenerate_id() does, and when you use it, but why do you need to regenerate the session id after a successful login? I don't see the point of that. No, I don't have a suggestion about the session code, but I would like to see how it's being used by you. \$\endgroup\$ Commented Jul 3, 2018 at 14:21
  • \$\begingroup\$ I've used it because some developers here in past have suggested me to regenerate te session id after an user login. The use of the session code will be if(!isset($_SESSION['session_code'])) ..so it will be only a check. I'm thinking to implement this control inside a class method \$\endgroup\$ Commented Jul 3, 2018 at 18:11
  • 1
    \$\begingroup\$ Yes, I also think it should be a method inside the helper class. Given the way you use the session code it could be a simple boolean, or even a single value like 1, instead of a 8 character pseudo-random string. You're only checking its presence, not the fact that it's a complex code. A better key would then be: user_logged_in. \$\endgroup\$ Commented Jul 3, 2018 at 19:57

1 Answer 1

Reset to default
1
\$\begingroup\$

This is not a SessionHelper but a UserSessionHelper in the first place. A session is a container that could contain anything, not only user credentials. A shopping cart items for example. Therefore you have to either extend its functionality or at least rename a class.

In 2018 you are obligatory supposed to utilize a PSR-4: Autoloader so not to include your class definitions manually.

What is most important, I don't see any getSession() method. Are you checking $_SESSION array directly? If so, that makes you class essentially incomplete. When writing OOP, you must encapsulate the full functionality, leaving something outside just makes no sense.

Given there is no constructor, consider using static methods, it will save you the very absent constructor call.

\$\endgroup\$
2
  • \$\begingroup\$ ok, so how do you will implement the getSession() method? \$\endgroup\$ Commented Jul 3, 2018 at 13:11
  • 3
    \$\begingroup\$ You have working code, so you will already have implemented something similar to the proposed getSession() method. All you have to do is to bring it within the confines of your helper class. \$\endgroup\$ Commented Jul 3, 2018 at 14:23

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.