I am trying to implement sessions on my php files.Let files be login1.php and file2.php

Need to be satisfied:

***Access to file2.php should be possible only after successful login.Otherwise noone should be able to access it directly.****

I have now implemented by setting a session in log1.php.On successful log in i am passing the session id to file2.php as follows:

in log1.php......code as follows

session_start();
$sess_id = session_id();
$_SESSION['id']=$sess_id;
if(-------condition)
header("Location: addUser.php?PHPSESSID=$sess_id");


In file2.php i have written it as

session_start();
if($_SESSION['id']!=$_GET['PHPSESSID'] || !isset($_SESSION['id'])){
session_unregister('id');
session_destroy();
header("Location: login1.php");
exit;
}
if i try to access file2.php from anywhere it is not possible.But once if i login successfully and reaches the file2.php i can copy the sessionid from url and if i try to acess the page from anywhere with this id i can get in directly to file2.php.This is the security concern.Then how can i implement sessions for this security.How can i use one more session in a page.Do i need to use another session start.I am not so aware of session implementing.

Well, first off, the session_id() must be called before the session_start().

Second, you should use cookies to store the session_id(). Here is an example.

if(@$_COOKIE['sessionid'] == ""){
$sesid = 'session' . mt_rand(0, 9999999);
// 604800 = 1 week cookie
setcookie("sessionid", $sesid, time() + 604800);
}
else{
$sesid = $_COOKIE['sessionid'];
}
session_id($sesid);
session_start();

If you do still want to do this without cookies then here's how.

First establish that they should be allowed into your restricted area, then do the following:

1) session_name('mysession');

2) Use ini_set('session.use_cookies',0); //Turns off cookies, which would stop the url passing method from working.

3) session_start(); //Starts a session as you know

4) $_SESSION['username'] =$info // Set your cookies as you would normally

5) $url="http://www.mywebsite.com/loggedin.php?".SID; //SID stores the session_id in a constant.

6) header("Location:$url"); //Redirect them.

7) Keep passing the url, one slip up and the whole thing is lost!

PS. This method is prone to session hijacking.

Hope it works.

PS. This method is prone to session hijacking.
Which means security breach. That is why I don't recommend it, nor do I believe Nibinaear would.

Sorry,not getting a clear idea.Don't i need to pass id through url in login.php.Do i need to check whether the cookie is set in file2.php.

Sorry,not getting a clear idea.Don't i need to pass id through url in login.php.Do i need to check whether the cookie is set in file2.php.
You have two options.

1. You can pass the session id through the URL which is easily visible and can be hijacked by simply changing the URL line.

2. You can set a cookie at login and then read it on the following pages by $_COOKIE. This is much more secure and easier to code for many pages.