PHP Login System Problem On Sessions!

Question

I have a few questions about sessions and login/logout systems.

In my system, first I am checking whether the user data(username and password) are correct or not. If so i am registering a session: $_SESSION['loggedin'] = 1 then I assume is logged in and I always check whether $_SESSION['loggedin'] 1 or not.

However, I recently observe that after one of the users logged in, let's say they go to their page: /profile.php?u=newuser but when they are in their own page if they are happen to change the url to this: / profile.php?u=newuser2 my system assumes that newuser2 is loggedin now :( How could i solve this problem? What would be the best and secure way to log users in?

And lastly, would following way work? Let's say I register $_SESSION['username'] = $username; In here $username data is retrieved from database. And in order to understand a user logged in or not I always retrive username from database and check $_SESSION['username'] == username . Would this be logical? Would always getting the username from database be efficient?

Answer 1

As the session data is stored on the server, there should be no problem with storing the username in $_SESSION and checking against it as you said.

It would be better to store the user id, but it's not a big deal to be honest. Unless you allow users to change their username of course.

profile.php should not have a $_GET variable deciding who to edit. It should automatically use the person logged in. ie

Instead of going

$username = $_GET['u'];

You should be using

$username = $_SESSION['username'];