feat: "used sessions for security"

kamranzafar4343 · Sep 8, 2024 · 3b059ad · 3b059ad
1 parent b9188b4
commit 3b059ad
Show file tree

Hide file tree

Showing 19 changed files with 328 additions and 65 deletions.
diff --git a/Branches.php b/Branches.php
@@ -1,4 +1,19 @@
 <?php
+// session_start(); // Start the session
+session_start();
+
+session_regenerate_id(true); // This will regenerate the session ID and delete the old one
+ini_set('session.cookie_secure', '1'); // Only send cookies over HTTPS
+ini_set('session.cookie_httponly', '1'); // Prevent access to cookies via JavaScript (mitigates XSS)
+ini_set('session.cookie_samesite', 'Strict'); // Prevent CSRF attacks by restricting cross-site cookie sharing
+
+
+// Check if the user is logged in
+if (!isset($_SESSION['email'])) {
+    // If not logged in, redirect to login page
+    header("Location: pages-login.php");
+    exit();
+}
 
 include 'db.php'; // Include the database connection
 

diff --git a/Companies.php b/Companies.php
@@ -1,6 +1,19 @@
 <?php
 // session_start(); // Start the session
+session_start();
 
+session_regenerate_id(true); // This will regenerate the session ID and delete the old one
+ini_set('session.cookie_secure', '1'); // Only send cookies over HTTPS
+ini_set('session.cookie_httponly', '1'); // Prevent access to cookies via JavaScript (mitigates XSS)
+ini_set('session.cookie_samesite', 'Strict'); // Prevent CSRF attacks by restricting cross-site cookie sharing
+
+
+// Check if the user is logged in
+if (!isset($_SESSION['email'])) {
+    // If not logged in, redirect to login page
+    header("Location: pages-login.php");
+    exit();
+}
 include 'db.php'; // Include the database connection
 
 // // Check if the user is logged in

diff --git a/CompanyInfo.php b/CompanyInfo.php
@@ -1,12 +1,21 @@
 <?php
 // session_start(); // Start the session
+session_start();
+
+session_regenerate_id(true); // This will regenerate the session ID and delete the old one
+ini_set('session.cookie_secure', '1'); // Only send cookies over HTTPS
+ini_set('session.cookie_httponly', '1'); // Prevent access to cookies via JavaScript (mitigates XSS)
+ini_set('session.cookie_samesite', 'Strict'); // Prevent CSRF attacks by restricting cross-site cookie sharing
+
+
+// Check if the user is logged in
+if (!isset($_SESSION['email'])) {
+    // If not logged in, redirect to login page
+    header("Location: pages-login.php");
+    exit();
+}
+
 include 'db.php';
-// // Check if the user is logged in
-// if (!isset($_SESSION['loggedin']) || $_SESSION['loggedin'] !== true) {
-//     // User is not logged in, redirect to login page
-//     header("Location: pages-login.php");
-//     exit;
-// }
 
 $result = [];
 $company_data = null;

diff --git a/box.php b/box.php
@@ -1,5 +1,19 @@
 <?php
+// session_start(); // Start the session
+session_start();
 
+session_regenerate_id(true); // This will regenerate the session ID and delete the old one
+ini_set('session.cookie_secure', '1'); // Only send cookies over HTTPS
+ini_set('session.cookie_httponly', '1'); // Prevent access to cookies via JavaScript (mitigates XSS)
+ini_set('session.cookie_samesite', 'Strict'); // Prevent CSRF attacks by restricting cross-site cookie sharing
+
+
+// Check if the user is logged in
+if (!isset($_SESSION['email'])) {
+    // If not logged in, redirect to login page
+    header("Location: pages-login.php");
+    exit();
+}
 include 'db.php'; // Include the database connection
 
 // Fetch box of the company

diff --git a/boxDelete.php b/boxDelete.php
@@ -1,4 +1,20 @@
 <?php
+// session_start(); // Start the session
+session_start();
+
+session_regenerate_id(true); // This will regenerate the session ID and delete the old one
+ini_set('session.cookie_secure', '1'); // Only send cookies over HTTPS
+ini_set('session.cookie_httponly', '1'); // Prevent access to cookies via JavaScript (mitigates XSS)
+ini_set('session.cookie_samesite', 'Strict'); // Prevent CSRF attacks by restricting cross-site cookie sharing
+
+
+// Check if the user is logged in
+if (!isset($_SESSION['email'])) {
+    // If not logged in, redirect to login page
+    header("Location: pages-login.php");
+    exit();
+}
+
 include "db.php";
 
 if (isset($_GET['id'])) {

diff --git a/branchDelete.php b/branchDelete.php
@@ -1,4 +1,20 @@
 <?php
+// session_start(); // Start the session
+session_start();
+
+session_regenerate_id(true); // This will regenerate the session ID and delete the old one
+ini_set('session.cookie_secure', '1'); // Only send cookies over HTTPS
+ini_set('session.cookie_httponly', '1'); // Prevent access to cookies via JavaScript (mitigates XSS)
+ini_set('session.cookie_samesite', 'Strict'); // Prevent CSRF attacks by restricting cross-site cookie sharing
+
+
+// Check if the user is logged in
+if (!isset($_SESSION['email'])) {
+    // If not logged in, redirect to login page
+    header("Location: pages-login.php");
+    exit();
+}
+
 include "db.php";
 
 if (isset($_GET['id'])) {

diff --git a/branchUpdate.php b/branchUpdate.php
@@ -1,5 +1,19 @@
 <?php
+// session_start(); // Start the session
+session_start();
 
+session_regenerate_id(true); // This will regenerate the session ID and delete the old one
+ini_set('session.cookie_secure', '1'); // Only send cookies over HTTPS
+ini_set('session.cookie_httponly', '1'); // Prevent access to cookies via JavaScript (mitigates XSS)
+ini_set('session.cookie_samesite', 'Strict'); // Prevent CSRF attacks by restricting cross-site cookie sharing
+
+
+// Check if the user is logged in
+if (!isset($_SESSION['email'])) {
+    // If not logged in, redirect to login page
+    header("Location: pages-login.php");
+    exit();
+}
 
   include "db.php";
 

diff --git a/create.php b/create.php
@@ -1,4 +1,20 @@
 <?php
+// session_start(); // Start the session
+session_start();
+
+session_regenerate_id(true); // This will regenerate the session ID and delete the old one
+ini_set('session.cookie_secure', '1'); // Only send cookies over HTTPS
+ini_set('session.cookie_httponly', '1'); // Prevent access to cookies via JavaScript (mitigates XSS)
+ini_set('session.cookie_samesite', 'Strict'); // Prevent CSRF attacks by restricting cross-site cookie sharing
+
+
+// Check if the user is logged in
+if (!isset($_SESSION['email'])) {
+    // If not logged in, redirect to login page
+    header("Location: pages-login.php");
+    exit();
+}
+
 include "db.php";
 
 if (isset($_POST['submit'])) {

diff --git a/createBox.php b/createBox.php
@@ -1,4 +1,19 @@
 <?php
+// session_start(); // Start the session
+session_start();
+
+session_regenerate_id(true); // This will regenerate the session ID and delete the old one
+ini_set('session.cookie_secure', '1'); // Only send cookies over HTTPS
+ini_set('session.cookie_httponly', '1'); // Prevent access to cookies via JavaScript (mitigates XSS)
+ini_set('session.cookie_samesite', 'Strict'); // Prevent CSRF attacks by restricting cross-site cookie sharing
+
+
+// Check if the user is logged in
+if (!isset($_SESSION['email'])) {
+    // If not logged in, redirect to login page
+    header("Location: pages-login.php");
+    exit();
+}
 
 include "db.php";
 

diff --git a/createBranch.php b/createBranch.php
@@ -1,5 +1,19 @@
 <?php
+// session_start(); // Start the session
+session_start();
 
+session_regenerate_id(true); // This will regenerate the session ID and delete the old one
+ini_set('session.cookie_secure', '1'); // Only send cookies over HTTPS
+ini_set('session.cookie_httponly', '1'); // Prevent access to cookies via JavaScript (mitigates XSS)
+ini_set('session.cookie_samesite', 'Strict'); // Prevent CSRF attacks by restricting cross-site cookie sharing
+
+
+// Check if the user is logged in
+if (!isset($_SESSION['email'])) {
+    // If not logged in, redirect to login page
+    header("Location: pages-login.php");
+    exit();
+}
 
 // Retrieve company ID from URL
 $company_id = isset($_GET['id']) ? intval($_GET['id']) : 0;

diff --git a/createitem.php b/createitem.php
@@ -1,4 +1,21 @@
 <?php
+
+// session_start(); // Start the session
+session_start();
+
+session_regenerate_id(true); // This will regenerate the session ID and delete the old one
+ini_set('session.cookie_secure', '1'); // Only send cookies over HTTPS
+ini_set('session.cookie_httponly', '1'); // Prevent access to cookies via JavaScript (mitigates XSS)
+ini_set('session.cookie_samesite', 'Strict'); // Prevent CSRF attacks by restricting cross-site cookie sharing
+
+
+// Check if the user is logged in
+if (!isset($_SESSION['email'])) {
+    // If not logged in, redirect to login page
+    header("Location: pages-login.php");
+    exit();
+}
+
 // Retrieve company ID from URL
 $branch = isset($_GET['id']) ? intval($_GET['id']) : 0;
 

diff --git a/delete.php b/delete.php
@@ -1,5 +1,21 @@
 
 <?php
+// session_start(); // Start the session
+session_start();
+
+session_regenerate_id(true); // This will regenerate the session ID and delete the old one
+ini_set('session.cookie_secure', '1'); // Only send cookies over HTTPS
+ini_set('session.cookie_httponly', '1'); // Prevent access to cookies via JavaScript (mitigates XSS)
+ini_set('session.cookie_samesite', 'Strict'); // Prevent CSRF attacks by restricting cross-site cookie sharing
+
+
+// Check if the user is logged in
+if (!isset($_SESSION['email'])) {
+    // If not logged in, redirect to login page
+    header("Location: pages-login.php");
+    exit();
+}
+
 include "db.php";
 
 

diff --git a/index.php b/index.php
@@ -1,6 +1,18 @@
 <?php
 // session_start(); // Start the session
-
+session_start();
+
+session_regenerate_id(true); // This will regenerate the session ID and delete the old one
+ini_set('session.cookie_secure', '1'); // Only send cookies over HTTPS
+ini_set('session.cookie_httponly', '1'); // Prevent access to cookies via JavaScript (mitigates XSS)
+ini_set('session.cookie_samesite', 'Strict'); // Prevent CSRF attacks by restricting cross-site cookie sharing
+
+// Check if the user is logged in
+if (!isset($_SESSION['email'])) {
+    // If not logged in, redirect to login page
+    header("Location: pages-login.php");
+    exit();
+}
 include 'db.php';
 
 // // Check if the user is logged in

diff --git a/itemDelete.php b/itemDelete.php
@@ -1,4 +1,20 @@
 <?php
+// session_start(); // Start the session
+session_start();
+
+session_regenerate_id(true); // This will regenerate the session ID and delete the old one
+ini_set('session.cookie_secure', '1'); // Only send cookies over HTTPS
+ini_set('session.cookie_httponly', '1'); // Prevent access to cookies via JavaScript (mitigates XSS)
+ini_set('session.cookie_samesite', 'Strict'); // Prevent CSRF attacks by restricting cross-site cookie sharing
+
+
+// Check if the user is logged in
+if (!isset($_SESSION['email'])) {
+    // If not logged in, redirect to login page
+    header("Location: pages-login.php");
+    exit();
+}
+
 include "db.php";
 
 if (isset($_GET['id'])) {

diff --git a/itemUpdate.php b/itemUpdate.php
@@ -1,4 +1,19 @@
 <?php
+// session_start(); // Start the session
+session_start();
+
+session_regenerate_id(true); // This will regenerate the session ID and delete the old one
+ini_set('session.cookie_secure', '1'); // Only send cookies over HTTPS
+ini_set('session.cookie_httponly', '1'); // Prevent access to cookies via JavaScript (mitigates XSS)
+ini_set('session.cookie_samesite', 'Strict'); // Prevent CSRF attacks by restricting cross-site cookie sharing
+
+
+// Check if the user is logged in
+if (!isset($_SESSION['email'])) {
+    // If not logged in, redirect to login page
+    header("Location: pages-login.php");
+    exit();
+}
 
 include "db.php";
 

diff --git a/logout.php b/logout.php
@@ -1,4 +1,16 @@
+<?php
+session_start();
+
+// Unset all session variables
+$_SESSION = array();
 
+// Destroy the session
+session_destroy();
+
+// Redirect to login page
+header("Location: pages-login.php");
+exit();
+?>
 <!DOCTYPE html>
 <html lang="en">