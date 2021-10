Well, to me mixing sessions into the login script would be confusing.

I simply do the following:

public function login(): void { $sql = "SELECT id, hashed_password FROM " . static::$table . " WHERE username =:username LIMIT 1"; $user = static::fetch_by_column_name($sql); if ($user && password_verify($this->password, $user['hashed_password'])) { unset($this->password, $user['hashed_password']); session_regenerate_id(); // prevent session fixation attacks static::$last_login = $_SESSION['last_login'] = time(); $this->id = $_SESSION['id'] = $user['id']; header("Location: index.php"); exit(); } static::$error[] = 'Unable to login in!'; }

then I have this for is the user logged in and/or security check

public static function is_login($last_login): void { if (!isset($last_login) || ($last_login + self::MAX_LOGIN_AGE) < time()) { header("Location: login.php"); exit(); } }

public static function securityCheck() { static::$searchItem = "id"; static::$searchValue = $_SESSION['id']; $sql = "SELECT security FROM " . static::$table . " WHERE id=:id LIMIT 1"; return static::fetch_by_column_name($sql); }

then on the page I want to have a member page or limited access I do something like the following:

Login::is_login($_SESSION['last_login']); $user = Login::securityCheck(); /* * Only Sysop privileges are allowed. */ if ($user['security'] === 'sysop') { header("Location: index.php"); exit(); }

My point is I try to keep my classes simple and my methods (functions) as short as possible.