can session_start () be used in constructors of various classes?

Question

can session_start () be used in constructors of various classes?

Navigation

#1 by (4 votes)

3

I have a big doubt about security, I'm using session_start() as follows:

public function validar()
{
    session_start();

    if(@$_POST) {
        foreach($_POST as $campo => $valor) {
            $asig = "$" . $campo . "='" . htmlspecialchars($valor, ENT_QUOTES) . "';";
            eval($asig);
        }

        $user = addslashes($username);
        $psw  = addslashes($password);
        $usu  = $this->user->validateUser($user, $psw);
        if($usu != null) {
            $_SESSION['use_mail']     = $usu->getUse_mail();
            $_SESSION['use_username'] = $usu->getUse_username();
            $_SESSION['use_psw']      = $usu->getUse_psw();
            $_SESSION['status_id']    = $usu->getStatus_id();
            $_SESSION['loggedin']     = true;
            echo 1;
        }
    }
    else {
        //redirrecciona error 404
        echo 0;
    }
}

In the model I have the following:

public function validateUser($username, $password)
{
    $sql   = "SELECT * from users WHERE use_username='" . $username . "' AND use_psw='" . $password . "' AND status_id='1'";
    $datos = $this->con->consultaRetorno($sql);

    if($datos->num_rows == 1) {
        $user_temp = new Users();
        $row       = $datos->fetch_array(MYSQLI_ASSOC);
        $user_temp->setUse_mail($row['use_mail']);
        $user_temp->setUse_username($row['use_username']);
        $user_temp->setUse_psw($row['use_psw']);
        $user_temp->setStatus_id($row['status_id']);

        return $user_temp;
    }
}

Everything works fine but my question is if I can use session_start in the constructors once the session is created, example:

class ProductController
{
    public function __construct()
    {
        session_start();
        $this->vehicle  = new Vehicles();
        $this->category = new Categories();
        $this->type     = new Types();
    }

    public function index()
    {
        View::render('driver/list');
    }
}

In all the views I have the following

<?php
//Inicio la sesión
if(!isset($_SESSION)) {
    session_start();
}

//COMPRUEBA QUE EL USUARIO ESTA AUTENTIFICADO
if($_SESSION["loggedin"] != true) {
    //si no existe, envio a la página de autentificacion
    header("Location: http://miapp/public/login");
    //ademas salgo de este script
    exit();
}
?>

seguridad php mysqli

asked by Fercho Jerez 11.08.2016 в 15:42

source

1 answer

Go through an Array with a PHP Rand How to securely store the base64EncodedPublicKey key of an Android app?

score 4 · Answer 1

In theory you can only start the session once during the execution of the process.

You can start the session in the constructors of each controller, but you have to make sure that the class that starts the session is the only one that does it. Otherwise it will throw a level error Notice ;

Notice: A session had already started - ignoring session_start () in / var / www / ... on line 10

A simple example that you can check:

error_reporting(E_ALL);
ini_set("display_errors", 1);

class AA
{
    public function __construct()
    {
        session_start();
    }
}

class BB
{
    public function __construct()
    {
        session_start();
    }
}

$a = new AA();
$b = new BB();

This means that when you log in to the controller, you do not need to do it again in the views.