To improve login code in PHP by Sessions

Question

Which one is the better way to handle login in PHP?

#1 PHP.net

    $email = $_POST['email'];
    $password = $_POST['password'];
    if($user->connection($email,$password)){ // user logging validation
        session_start();     //start the session
        $_SESSION['user_logged'] = true;  // user logged in
        header('location : control_panel.php');  // go to control panel
    }
    else {  // go back to logging page
        header('location : logging.php?' . $user->error_string);
    }

#2 Me after Paul Dixon's improvements and Sebasgo's improvements

 if (isset($_REQUEST['email'])) {
     $result = pg_prepare($dbconn, "query22", "SELECT passhash_md5 FROM users
         WHERE email=$1;");                                             
     $passhash_md5 = pg_execute($dbconn, "query22", array($_REQUEST['email']));                 

     session_start(); 
     $_SESSION['logged_in'] = false;                                                                                                           
     if ($passhash_md5 == $_REQUEST['passhash_md5']) {                                            
         $_SESSION['logged_in'] = true;                                                                   

 }
 header('Location: index.php');

The code #2 has $_REQUEST commands because I am still trying to get it work.

Answer 1

You force all new sessions to have the same ID, which means everyone will be sharing the same session! Probably not what you intended?

You can omit the call to session_id() and just let PHP take care of creating a unique id for the session.

Also, you should really call session_start before using the $_SESSION array to ensure it is populated with any current session variables.

Answer 2

You shouldn't try to manage the session ids yourself. A simple scheme like the one you propose (incrementing the session id by one for every new session) contains a serious security issue: A user with freshly generated session id can trivially guess other valid session ids by trying ids slightly smaller than its own. Thus it is very easy two acquire someone else's session.

If you let PHP manage the generation of new session ids for you, PHP uses a pseudo random generator to create the new ids, which will be hard to guess for a potential attacker. This prevents the above outlined attack scenario effectively.

Additionally, you will virtually never want to access $_SESSION before calling session_start() because before the session array will be always empty. Therefore your test of empty($_SESSION['SID']) will always raise false.

Bottom line: I strongly recommend you to stick to the simple way of managing login like PHP.net does it.