In looking at some sample login type scripts, they mostly use the logic as below for pages that should not be directly accessed without first logging in.

session_start
check for some login flag
if logged in
do some process
else
error message or redirect to login page
exit
etc... etc...

In the above logic, in the else section where the user was not logged in, there doesn't seem to be a session_destroy.

Isn't it necessary to destroy the session started at the top of the page even though access to the actual content of the page has been denied?

no, because if the session variable it's looking for doesn't exist, there's a 99% chance there isn't a valid session started.

alternatly if you're not planning to redirect to a login page etc, I'd add "}else {echo "error message"; exit();}"

I'm also going to suggest reversing the session validation,

//


session_start();
if (!session_is_registered("SESSION_NAME"))
{
echo "ACCESS DENIED";
exit();
}

display content

//

I understand that if the session variable does not exist, the session has not been started elsewhere, eg through a login page.

But, before checking the variable in another page, we issue a session_start first. If there was already a session started through the login page, then that session will be used. But if there is none, doesn't a new session start now?

It is this new session started during this check that I am referring to. Shouldn't that be destroyed?

edit *
I don't think its necessary, but you could always use:

session_destroy ();

http://ca3.php.net/manual/en/function.session-destroy.php

or just set a default value for the $_SESSION var, like null or 0 or false...

On a server with shared hosting accounts, are there any advantages or disadvantages in using session_save_path() to change the default directory where session data is stored?

For example, use a directory in your own account space such as /home/myaccount/tmp instead of the default root /tmp directory?

Does this provide any extra security for the session data?

not really

Session files will usually be placed in the /tmp directory unless your host has configured a different path to be used

are there any advantages or disadvantages in using session_save_path() to change the default directory where session data is stored?
Yes!
not really
Not a very good answer to his question. The answer is yes, on a shared hosting account you should be saving your sessions in a nonpublic, non-web-accessible area. If you are already using a database, I would recommend saving your session data there.

There are plenty of articles about session fixation/hijacking techniques that are possible if you had read access to /tmp on a shared webserver.

There are also a few good articles about how to setup database-backed session management, and its really not too hard to implement if you are already familiar with sessions in general.

[There are plenty of articles about session fixation/hijacking techniques that are possible if you had read access to /tmp on a shared webserver.]

That's not completly true.

The issue with using /tmp has nothing to do with fixation/hijacking (this can occur regardless of the storage directory, the best prevention is to force new session creation upon each authentication (login).

The issue with /tmp storage is if there are users with shell access that can directly access the directory to view file contents. "OR" is within a directory path accessble from the web.

This also is dependent on the directory having permission settings allowing reading of the file by users other than the owner.

Also, by utilizing the a generic directory for all hosted domains you're actually making identifiying the site the files belong to harder.

[if a host has 100 domains all of which use the same folder to store session files, how are you going to know which host a particular file belongs to..... if a domain uses /www/domname/tmp/ as a storage folder for "its" session files, what are the odds that the files are for that domain?]

Bottom line, while I will agree there are security issues in this, all in all, it will rely on both the host and domain owner to mainain security.

When using the database method of managing sessions, does the client have to have cookies turned on for it to work?

Does using session_regenerate_id() function in each page when checking for an existing valid session help in making the session more secure?

Originally posted by mylinear
When using the database method of managing sessions, does the client have to have cookies turned on for it to work?

Depends on if you use the php session_set_save_handler function, which is just using normal php session, but defining a different method of handling them, like using a database.

You can also create your own session handler. Like what phpBB did. But its a bit more complicated.

If the client browser has cookies disabled, does PHP automatically send the session id through the URL method?

Or do I have to issue some other commands before session_start() to cater for this possibility? If so, what are those functions?

Or can I only use one method (cookies) or the other (URL) and not both in any given session?

Originally posted by mylinear
But, before checking the variable in another page, we issue a session_start first. If there was already a session started through the login page, then that session will be used. But if there is none, doesn't a new session start now?

It is this new session started during this check that I am referring to. Shouldn't that be destroyed?

No, you can let them keep the same session. It won't matter if a non-logged-in user keeps using the same session, because you don't put the login credentials into that session until he successfully logs in.

Originally posted by bitfuzzy
no, because if the session variable it's looking for doesn't exist, there's a 99% chance there isn't a valid session started.

alternatly if you're not planning to redirect to a login page etc, I'd add "}else {echo "error message"; exit();}"

hi, i'm facing similar problems. I got the error that Index not found for my Session['Login']

So I did this for my login_chk.php

<?php // Check if User Is Log On
session_start();

if (!empty($_SESSION['Login']))
{
if ($_SESSION['Login'] != "1")
{
header ('Location: index.php?status=relog');
}
}
else
{
header('Location: index.php?status=relog');
}
?>

Is this acceptable? How can I improve it?

Thks!