Websites are prone to Session Attack where its proper usage is not done.
There are tools like "Apache Benchmark" (ab) and many others which can hit the website with load for load / performance testing.
Code below starts the session for every request.
<?php
session_start();
$username = $_POST['username'];
$password = $_POST['password'];
if(isValidUser($username, $password)) {
Suserdetails = getUserDetails($username);
$_SESSION['user_id'] = Suserdetails['user_id'];
$_SESSION['username'] = Suserdetails['username'];
$_SESSION['firstname'] = Suserdetails['firstname'];
header('Location: dashboard.php');
}
?>
This generates session file for every request irrespective of PHPSESSID cookie value when I use tools like ab, there by creating inode issue.
One should start the session after properly authenticating.
<?php
$username = $_POST['username'];
$password = $_POST['password'];
if(isValidUser($username, $password)) {
Suserdetails = getUserDetails($username);
session_start();
$_SESSION['user_id'] = Suserdetails['user_id'];
$_SESSION['username'] = Suserdetails['username'];
$_SESSION['firstname'] = Suserdetails['firstname'];
header('Location: dashboard.php');
}
?>
Scripts other then login first validates session which requires session.
<?php
if(session_status()!=PHP_SESSION_NONE) header('Location: login.php');
session_start();
if(!isset($_SESSION['user_id'])) header('Location: login.php');
code logic below....
}
?>
This example is for file based session.
For other modes of session check function session_set_save_handler.
