I'm not a php expert but I wonder if there is a way to secure the tunnel with https and if can somehow use some sort of certificate to the session from the class when it outputs the userdata into session and read it as an input by the class?

<?php
interface userAction {
    public function login();
    public function logout();
    public function isActive();
}
class userControl implements userAction {
    protected $_email;
    protected $_password;
    protected $_db;
    protected $_user;
    private $isLogged = false;
    public function __construct(mysqli $db, $email, $password) 
    {
       $this->_db = $db;
       $this->_email = $email;
       $this->_password = $password;
    }
    public function login()
    {
        $user = $this->_verifyUser();
        if ($user) {
            $this->_user = $user;
            session_regenerate_id(true);
            $_SESSION['uid'] = $user['uid'];
            return $user['uid'];
        }
        return false;
    }
    protected function _verifyUser()
    {
        $userQ = "SELECT * FROM users WHERE email=?";
        $stmt = $this->_db->prepare($userQ);
        $stmt->bind_param("s", $this->_email);
        $stmt->execute();
        $result = $stmt->get_result();
        $nrRows = $result->num_rows;
        if ($nrRows > 0) {
            $user = $result->fetch_assoc();
            $this->_db->next_result();
            $usrPwd = blobToString($user['password']);
            $pwdCheck = password_verify($this->_password, $usrPwd);
            if ($pwdCheck) {
                unset($user['password']);
                $this->_db->close();
                $this->isLogged = true;
                return $user;
            }
        }
        return false;
    }
    public function logout() {
        $currentUser = $_SESSION['uid'];
        if ($this->isLogged && $currentUser) {          
            $usrStatus = 0;
            $usrLevel = -1;
            $isUserQ = "SELECT * FROM users_status WHERE uid = ?";
            $isUser = $this->_db->prepare($isUserQ);
            $isUser->bind_param("s", $currentUser);
            $isUser->execute();
            $userData = $isUser->get_result();
            if ($userData->num_rows > 0) {
                $this->_db->next_result();
                $setUserQ = "UPDATE users_status SET login_status = ?, user_level = ? WHERE uid = ?";
                $setUser = $this->_db->prepare($setUserQ);
                $setUser->bind_param("iis",$usrStatus, $usrLevel, $currentUser);
                $setUser->execute();
                $setUser->close();
                $this->_db->close();
                $this->isLogged = false;
                return true;
            }
        }
        return false;
    }
    public function isActive() {
        if($_SESSION['uid'] == $this->_user['uid']) {
            $this->isLogged = true;
            return $this->_user;
        }
        return false;
    }
}

PHP is a web scripting language that is removed from the networking and SSL side of things. You can use a web server such as Apache or Nginx to server your PHP scripts to ensure your website only loads via HTTPS with an SSL certificate.

It appears you are already correctly using password_hash() and password_verify() to store encrypted and salted passwords in the database. Additional security measures you can take for your login pages are setting a content security policy (CSP) HTTP header that instructs web browsers to employ restrictions such as not allowing third-party form submissions, etc.

An example of what we do here at DaniWeb is:

header("content-security-policy: frame-ancestors 'none'; form-action 'self'");

and what that does is ensure that our webpages are not able to ever be loaded into an iframe on someone else's website, and all form submissions originate from the same domain. We also store an anti-CSRF cookie to prevent against CSRF attacks.

Thank you Dani, I've already done that but I'm not sure if the client side is secure since the web is full of adds and shady scripts :)

You can use a content-security-policy to prevent any non-vouched-for javascript from executing. If you research CSP, you can see it can be quite powerful.

Aside from that, there is no way to "lock down" the client side (the end-user's web browser). What is important is that nothing that is happening on the client side is able to affect the server side in any unintended way through any type of injection attacks, man-in-the-middle attacks, etc.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.