Are there any session security loopholes in my PHP script?

Question

After I authenticate user login info, i create this session for them:

 $_SESSION['username']= $userName;

Then, I redirect them like this:

header('Location:www.domain.com/profile/' . $_SESSION['username'];

I want my website to have a beauty URL, something like: www.domain.com/profile/userName

Thus, in all my redirect links (HTML <a> tag or PHP header() function), I will use:

"www.domain.com/album/" . $_SESSION['username'];

Are there any security loopholes?

Edit:

Do I need to create session id first using session_id()?

So, to check:

if(!isset($_SESSION['id']){
   //redirect to login page
}

Answer 1

What are you protecting? What are you doing to verify that they have authorization? Are you protecting their profile and verifying that they have authorization because they have the session key? You don't ever mention checking that they have a session variable.

You won't even need to know the session ID. That is immaterial to storing whether the user has gotten authentication, that's just the mechanism which indicates what session information they should be using.

When the user logs in, you want to store something like

$_SESSION['authed_user'] = true;

And then, on subsequent attempts to edit information you do:

if ($_SESSION['authed_user']) {
  // do something authed users can do
}

And naturally, you'll really probably want some sort of levels of authorization. I recommend you consider using something like SimpleAuth...

Answer 2

You need authorization on the page that allows user to edit their profile. If they'll be editing on the http://www.domain.com/profile/[username] page then you need to check if their $_SESSION['username'] is equal to the profile page they are on.

Otherwise anyone would be able to type in the URL (basically guess a profile number or name) and edit it.

But yes, you should first check if they've logged in AT ALL:

if (IsSet($_SESSION['username'])) {
// Logged in
} else {
// Not logged in
}