Lesson 1: Managing Sessions

Objective:

The objective of this lesson is to teach learners about managing sessions in PHP. By the end of this lesson, participants should be able to:

Description:

1.1 Understanding Sessions and Session Variables

1.1.1 Introduction

Sessions are a crucial aspect of web development that allow developers to maintain stateful information across multiple pages for a single user. This enables the storage and retrieval of user-specific data throughout a user’s interaction with a website.

1.1.2 Starting a Session

Explore how to start a session in PHP using the session_start() function. This function initializes a session or resumes the current session.

<?php
// Starting a session
session_start();
?>

1.1.3 Session Variables

Introduce the concept of session variables, which are used to store information that persists across different pages during a user’s session.

<?php
// Setting a session variable
$_SESSION['user_id'] = 1;

// Retrieving a session variable
$user_id = $_SESSION['user_id'];
?>

1.2 Implementing User Authentication

1.2.1 Introduction

User authentication is a fundamental security measure that ensures only authorized users can access certain parts of a website. Sessions play a vital role in implementing secure authentication.

1.2.2 Login Form

Create a simple login form in HTML and process it using PHP. Validate user credentials against a database and set session variables upon successful authentication.

<!-- Login Form (login.html) -->
<form action="login.php" method="post">
    <label for="username">Username:</label>
    <input type="text" name="username" required>

    <label for="password">Password:</label>
    <input type="password" name="password" required>

    <button type="submit">Login</button>
</form>

<?php
// Login Processing (login.php)
session_start();

// Validate user credentials (Assume a users table in the database)
if ($_POST['username'] === 'valid_username' && $_POST['password'] === 'valid_password') {
    // Set session variables upon successful authentication
    $_SESSION['user_id'] = 1;
    $_SESSION['username'] = 'valid_username';

    header('Location: dashboard.php');
    exit();
} else {
    echo "Invalid username or password";
}
?>

1.2.3 Access Control

Implement access control to restrict certain pages to authenticated users only. Check session variables to determine if a user is logged in.

<?php
// Dashboard Page (dashboard.php)
session_start();

// Check if the user is logged in
if (!isset($_SESSION['user_id'])) {
    header('Location: login.html');
    exit();
}

// Display dashboard content for authenticated users
echo "Welcome, " . $_SESSION['username'] . "!";
?>

1.3 Best Practices and Security Measures

1.3.1 Session Timeout

Discuss the importance of session timeout to automatically end a user’s session after a certain period of inactivity.

<?php
// Setting session timeout (e.g., 30 minutes)
ini_set('session.gc_maxlifetime', 1800);
?>

1.3.2 Session Regeneration

Explain the concept of session regeneration to prevent session fixation attacks.

<?php
// Regenerate session ID
session_regenerate_id(true);
?>

1.3.3 Logout

Implement a secure logout mechanism to destroy the session and redirect the user to the login page.

<?php
// Logout (logout.php)
session_start();
session_destroy();
header('Location: login.html');
exit();
?>

1.4 Practice Exercise

Task:

  1. Create a Session:
    • Build a simple PHP page that starts a session and sets a session variable.
  2. Implement Login:
    • Design an HTML login form and create a PHP script to process login credentials.
    • Validate the credentials against predefined values and set session variables upon successful authentication.
  3. Create a Dashboard:
    • Develop a dashboard page that checks for the presence of session variables.
    • If the user is not logged in, redirect them to the login page.
  4. Logout Functionality:
    • Implement a logout mechanism that destroys the session and redirects the user to the login page.

Task:

  1. Create a Session:
    • Create a PHP page named start_session.php.
    • Use the session_start() function to initiate a session.
    • Set a session variable with a user’s name.
<?php
// start_session.php

// Starting a session
session_start();

// Setting a session variable
$_SESSION['user_name'] = 'John Doe';

echo "Session started. User: " . $_SESSION['user_name'];
?>

Implement Login:

<!-- login.html -->
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Login Form</title>
</head>
<body>
    <form action="process_login.php" method="post">
        <label for="username">Username:</label>
        <input type="text" name="username" required>

        <label for="password">Password:</label>
        <input type="password" name="password" required>

        <button type="submit">Login</button>
    </form>
</body>
</html>

<?php
// process_login.php

// Starting a session
session_start();

// Validating user credentials (Replace with your validation logic)
$valid_username = 'john_doe';
$valid_password = 'password123';

if (
    isset($_POST['username']) && 
    isset($_POST['password']) && 
    $_POST['username'] === $valid_username &&
    $_POST['password'] === $valid_password
) {
    // Set session variables upon successful authentication
    $_SESSION['user_name'] = $valid_username;

    header('Location: dashboard.php');
    exit();
} else {
    echo "Invalid username or password";
}
?>

Create a Dashboard:

<?php
// dashboard.php

// Starting a session
session_start();

// Check if the user is logged in
if (!isset($_SESSION['user_name'])) {
    header('Location: login.html');
    exit();
}

// Display dashboard content for authenticated users
echo "Welcome, " . $_SESSION['user_name'] . "!";
?>

Logout Functionality:

<?php
// logout.php

// Starting a session
session_start();

// Destroying the session
session_destroy();

// Redirect to the login page
header('Location: login.html');
exit();
?>