Nope. In fact, its really bad and your example code will render your sessions useless.
When you call session_start()
you are either given an empty $_SESSION
or you get back the data you saved to $_SESSION
on a previous page load. For more information on sessions check out the PHP docs:
http://php.net/manual/en/book.session.php
http://php.net/manual/en/function.session-start.php
About logging in and out: Your logout process has to destroy whatever session data identifies the user (probably their ID). Typically this is done by using unset
, i.e. unset($_SESSION['user_id'])
.
I can't imagine any other way to log out a user, maybe if you provided more information I could give you a better answer about this.
Regarding your addition it looks like your authentication system could use some work. You shouldn't be able to get to a login page when you are already logged in (even as admin, since its just another user with higher privileges, right?). If you manually type in the login url after you're logged in, then it should redirect you to the homepage.
Here's Fantastic write-up on this topic, I shoulda done some research! Thanks @HamZa
The definitive guide to form-based website authentication
And here's my super basic pseudo code auth process:
Does current page require authentication
Yes:
Is the user logged in?
Yes:
Does the user have the correct privilages to view the page?
Yes:
AUTHENTICATED! Show page
No:
Print a message that says something like, "You're in the wrong place amigo"
No:
Redirect to login
No:
Show the page