PHP is $_SESSION enough to secure the web page?

Question

I am running a simple service where users have to login to be able to operate special functonalities.

My MySQL database stores the username , password and user_id .

When user wants to login, they must provide their username and password which are posted to profile.php.

The profile.php does a simple check:

// Sanity Check
if(empty($_POST['smart_email'])|| empty($_POST['smart_password']))
{

    echo 'Sorry, wrong login/passwd';
    exit;
}
else
{
    //
    $smart_email = $_POST['smart_email'];
    $smart_password=$_POST['smart_password'];

    // Check if registerd and password matches
    if(DB_IsAuthorized($smart_email, $smart_password) == true)
    {
        // Obtain proper UserID from the database
        $UserID             = DB_GetId($smart_email);

        // set the session user_id variable
        $_SESSION['user_id'] = $UserID;


        //
        // Display the User profile page
        //
    }

}

From that moment, every single page that is user-related has a check for user_id set in $_SESSION to find out if this user was logged in and is authorized.

if (isset($_SESSION['user_id']) && is_numeric($_SESSION['user_id']) && $_SESSION['user_id']>0) 
{ 
    // USER IS LOGGED IN 
}

The question is: Is this $_SESSION['user_id'] check enough to secure the pages from NON LOGGED IN USERS ?

Answer 1

This question is too broad but simple answer is no .

Firstly, you will need https to make sure you protect users from hackers by using firewalls and other required security tools.

Secondly, you need to use htaccess to change extensions, say show user .html instead of .php

Thirdly, Sessions can be hijacked easy by hackers. So always try to store encrypted session values instead of plain text.

There are a lot more issues to take care of but its too complex and broad.