I am coding a sample object-oriented chat system using AJAX, SQL, PHP to train myself. I am saving "sensitive" user data into a database to check for a variety of inputs and processes such as login, online status, messages sent etc.
However, when a user logs into the system I check if $_SESSION['status'] is true or false to grant access to different locations of the website. I check the data in a separated file with a class Login.class and from there I could now decide whether I keep the object of Login.class to receive information of the user and use it, or I "kill" the object after I saved everything in $_SESSION variables (i.e. $_SESSION['username'] and so on…).
Basically I am interested in what is more secure or good programming and what is not. I know that php-login project is using both ways. It's kind of telling me that both of them are ok because a lot of professionals have been implementing this code. I thought that you should stick to one method, or am I misunderstanding something?
Aside from the initialization of the actual session stuff (You already know that, with session_start() which should probably go in your bootstrap somewhere), you should ideally attempt to NOT use $_SESSION directly, why you ask?
Because of maintainability! Say you wanted to implement another form of session, maybe you want to use memcache instead of flat file sessions, use cookies only (I say only because PHP defaults to store your session ID in a cookie, so you are in fact already using cookies!)
Also ease of reading, and minimal chance of a typo going unnoticed and causing a bug (Maybe you have to check for admin state alot, and you mistype it $_SESSION['is_amdin], now had you used OOP here (Eg. Auth::isAdmin()) you would have recieved a fatal error about a missing function)
If you try to keep your stuff OO and use a proper IDE, you will also recieve the added benefit of autocompletion and code hints, you can PHPDOC a function, which will be used by many IDE's to provide documentation popups as you write. An assoc array like $_SESSION does not have any way to define hints for editors or humans!
Collected from the Internet
Please contact [email protected] to delete if infringement.
Comments