/** * Logout the user, clear session */ public static function logout() { $userId = Session::get('user_id'); self::deleteCookie($userId); Session::destroy(); Session::updateSessionId($userId); }
/** * The real login process: The user's data is written into the session. * Cheesy name, maybe rename. Also maybe refactoring this, using an array. * * @param $user_id * @param $user_name * @param $user_email * @param $user_account_type */ public static function setSuccessfulLoginIntoSession($user_id, $user_name, $user_email, $user_account_type) { Session::init(); // remove old and regenerate session ID. // It's important to regenerate session on sensitive actions, // and to avoid fixated session. // e.g. when a user logs in session_regenerate_id(true); $_SESSION = array(); Session::set('user_id', $user_id); Session::set('user_name', $user_name); Session::set('user_email', $user_email); Session::set('user_account_type', $user_account_type); Session::set('user_provider_type', 'DEFAULT'); // Set class_id Session::set('class_id', self::getClassID()); // get and set avatars Session::set('user_avatar_file', AvatarModel::getPublicUserAvatarFilePathByUserId($user_id)); Session::set('user_gravatar_image_url', AvatarModel::getGravatarLinkByEmail($user_email)); // finally, set user as logged-in Session::set('user_logged_in', true); // update session id in database Session::updateSessionId($user_id, session_id()); // set session cookie setting manually, // Why? because you need to explicitly set session expiry, path, domain, secure, and HTTP. // @see https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet#Cookies setcookie(session_name(), session_id(), time() + Config::get('SESSION_RUNTIME'), Config::get('COOKIE_PATH'), Config::get('COOKIE_DOMAIN'), Config::get('COOKIE_SECURE'), Config::get('COOKIE_HTTP')); }