I have a webapp that uses login/logouts so I have session management. Basically every page so far starts with
session_start();
if(!isset($_SESSION['username'])) {header("Location: index.php");} else { rest of the page's functionality}
I am now creating a class (User.php); that will be accessed by another .php page. Do I need to implement the above for security, and if so how? Should I put classes above the webroot? Thanks
first of all, although i assume you've thought of this; just to check if the username is set in a session is not particularly save. If you want to check if a user is logged in some additional tests should be present.
than back to your question; a page could possibly access the User class even if no logged in user exists (eg. when you want to display this particular users' public comments on a blog post). So no, your test would not be needed. Furthermore you could also build in a check if the user is logged in into the User class (or better still; the Authentication class you'll build around it), so you could do something like:
if(Authentication::is_logged_in($_SESSION['username']) === true) {
echo 'yeeehaaaa! You\'re logged in bro!';
} else {
echo 'what are you doing here?! Get lost! (or log in)';
}
