I'm trying to decide on the level of security with regards to session management on my php site. at the top of every page is a php tag where I run
if (!isset($_SESSION["user"])) {header('Location: login.php');}
The User session is created on login, do you guys think this is secure enough? The whole site runs in SSL.
Yes that will work. To make it less error prone put that snippet in a file and include it at the top of each page. That way you just edit one place to make changes to the logic.
Also, your Location header is supposed to contain the entire URL starting with https: according to the RFC specifications. It may still work for some browsers but should not be depended on.
Well, being secure has 100's of different topics... But in terms of what you are trying to achieve, yes I think that's fine
I would add some additional validation to checking that $_SESSION['user'] is definately a correct user, and try to compare the session user's IP Address, USER AGENT and other things to detect Session Hi-Jacking
You should also EXIT; after header("Location: X"):
header("Location: xyz.php");
exit;
I think it's better to create a random token string when your user wants to login to your website. Then check it in every page beside your previous code. I used $_SERVER['REMOTE_ADDR'] , $_SERVER['HTTP_USER_AGENT'] and a random string to make it.
Well, at least once per load you will need also validate the user, otherwise you are just checking if the session exists.
