Jinsi ya Kutumia Sessions kwa User Authentication

Sessions zinatumika katika PHP kudumisha state kati ya requests za HTTP.
Kwa user authentication, sessions zinaweza:

Kuweka user logged-in baada ya kuingiza password sahihi.

Kuzuia access ya pages kwa watumiaji wasio logged-in.

Kutoa user-specific data kwenye pages.

⚙️ 2. Kuanzisha Session
<?php
session_start(); // Lazima iwe kwenye page zote zinazoaccess session
?>


Mahali pa kuweka: Kila page inayohitaji authentication lazima ianze na session_start().

Lazima iwe before any HTML output.

🔑 3. Session katika Login
<?php
session_start();
include 'config.php';

if($_SERVER['REQUEST_METHOD'] === 'POST'){
$email = trim($_POST['email']);
$password = $_POST['password'];

$stmt = $pdo->prepare("SELECT * FROM users WHERE email=:email");
$stmt->execute(['email'=>$email]);
$user = $stmt->fetch(PDO::FETCH_ASSOC);

if($user && password_verify($password, $user['password'])){
session_regenerate_id(true); // Prevent session fixation
$_SESSION['user_id'] = $user['id'];
$_SESSION['username'] = $user['username'];

header("Location: dashboard.php");
exit;
} else {
$error = "❌ Invalid email or password!";
}
}
?>


💡 Maelezo:

session_regenerate_id(true) hubadilisha session id kila login, kuzuia hijacking.

$_SESSION ni array inayohifadhi data ya logged-in user.

🧩 4. Kuzuia Access kwa Pages zisizo logged-in
<?php
session_start();

if(!isset($_SESSION['user_id'])){
header("Location: login.php"); // Redirect user to login if not logged-in
exit;
}
?>


Hii inahakikisha user hawezi ku-access pages zisizo logged-in.

Weka snippet hii kwenye header ya page zote secured.

📝 5. Kutoa Logout
<?php
session_start();
session_destroy(); // Futa session zote
header("Location: login.php"); // Redirect to login
exit;
?>


💡 Maelezo:

session_destroy() inafuta data zote za logged-in user.

Kila page baada ya logout inahitaji login upya.

🧠 6. Vidokezo vya Usalama

HTTPS: Hakikisha cookies za session zinatumika kwa HTTPS.

session_regenerate_id(true): Kila login au privilege change.

Session Timeout: Tumia mechanism ya auto logout baada ya inactivity.

Store minimal info: Hifadhi tu data muhimu kwenye session (user_id, username).

✅ 7. Hitimisho

Sessions ni muhimu kwa user authentication na kudumisha login state.

Kila page secured lazima i-check session variable.

Logout huboresha security kwa kuondoa session data.

🔗 Tembelea:

👉 https://www.faulink.com/

Kwa mafunzo zaidi ya PHP, sessions, authentication, na web security.