security - PHP User Authentication with Sessions -

security - PHP User Authentication with Sessions -

so question basic.

when checking if user still logged in on page, i'll utilize

if (isset($_session['user']) && $_session['user'] == true) { code }

but, shouldn't utilize hashed value instead of boolean value $_session['user']? guides find using boolean values, point of view security leak, isn't it? people talking session-hjacking , session-fixation time, , easy if used boolean values user-session, woulnd't it? or mixing things here?

thank

i read 2 questions here. first question, 'what best practice determine if user logged in?" , sec question 'is there concern of session-hjacking , session-fixation?'

first question: web apps/cms have worked have user object. there nil particular special object code perspective, object representing user. logged in user has user object stored in session. $_session['user']

in drupal (and other platforms) function used homecoming logged in user, or false if user not logged in.

example:

function user(){ if( isset($_session['user') , is_object($_session['user'] , get_class($_session['user']=='myuserclass')) ){ homecoming $_session['user']; }else{ homecoming false; } }

so in illustration see if ( user() ) { code } works because object evaluate true in if clause.

second question: session-hjacking , session-fixation not concerns here. client (a web browser) not have access server's $_session array. in short, yes mixing things here.

php security authentication user