<?php
/**
* Authentication and Session Management
* This file handles all authentication-related functions including:
* - User login/logout functionality
* - Session management and security
* - Login status checking
* - Session timeout handling
*/
/**
* Session Configuration and Initialization
* Set secure session parameters for better security
*/
if (session_status() == PHP_SESSION_NONE) {
// Configure session settings for security
ini_set('session.cookie_lifetime', 3600); // Session cookie lifetime: 1 hour
ini_set('session.gc_maxlifetime', 3600); // Session garbage collection: 1 hour
ini_set('session.cookie_httponly', 1); // Prevent XSS attacks
ini_set('session.cookie_secure', 0); // Set to 1 for HTTPS in production
ini_set('session.use_strict_mode', 1); // Prevent session fixation
session_start();
/**
* Session Expiry Check
* Check if session has expired (1 hour timeout)
*/
if (isset($_SESSION['last_activity']) && (time() - $_SESSION['last_activity'] > 3600)) {
// Session expired, destroy it and start fresh
session_unset();
session_destroy();
session_start();
}
// Update last activity time for active sessions
$_SESSION['last_activity'] = time();
}
/**
* Check if user is logged in
* Validates user session and checks for expiration
* @return bool True if user is logged in and session is valid
*/
function isLoggedIn() {
// Check if user_id exists in session
if (isset($_SESSION['user_id'])) {
// If last_activity is not set, initialize it to current time
if (!isset($_SESSION['last_activity'])) {
$_SESSION['last_activity'] = time();
}
// Check if session is expired (1 hour = 3600 seconds)
if (time() - $_SESSION['last_activity'] <= 3600) {
// Update last activity time for valid sessions
$_SESSION['last_activity'] = time();
return true;
} else {
// Session expired, clear session data
session_unset();
session_destroy();
return false;
}
}
return false;
}
/**
* Logout user and destroy session
* Clears all session data and redirects to welcome page
*/
function logout() {
session_start();
session_unset(); // Clear all session variables
session_destroy(); // Destroy the session
header('Location: welcome.php'); // Redirect to welcome page
exit();
}
/**
* Check if current user is admin
* @return bool True if user role is admin
*/
function isAdmin() {
return isset($_SESSION['role']) && $_SESSION['role'] === 'admin';
}
/**
* Require user to be logged in
* Redirects to welcome page if user is not logged in
*/
function requireLogin() {
if (!isLoggedIn()) {
// Clear any existing session data
session_unset();
session_destroy();
header('Location: welcome.php'); // Redirect to welcome page
exit();
}
}
/**
* Require user to be admin
* First checks if user is logged in, then checks if user is admin
*/
function requireAdmin() {
requireLogin(); // First ensure user is logged in
if (!isAdmin()) {
header('Location: index.php'); // Redirect if not admin
exit();
}
}
/**
* Sanitize user input to prevent XSS attacks
* @param string $data Input data to sanitize
* @return string Sanitized data
*/
function sanitizeInput($data) {
$data = trim($data); // Remove whitespace
$data = stripslashes($data); // Remove backslashes
$data = htmlspecialchars($data); // Convert special characters to HTML entities
return $data;
}
/**
* Hash password using PHP's secure password hashing
* @param string $password Plain text password
* @return string Hashed password
*/
function hashPassword($password) {
return password_hash($password, PASSWORD_DEFAULT);
}
/**
* Verify password against hash
* @param string $password Plain text password
* @param string $hash Stored password hash
* @return bool True if password matches hash
*/
function verifyPassword($password, $hash) {
return password_verify($password, $hash);
}
?>