I am using PHP sessions to protect access to my CMS without being logged in. It's working, but I'm also setting a cookie using JavaScript so that users are redirected to the CMS from the login.php page if they have already authenticated. The cookie's expiration is 1 day, but I'm starting to wonder whether using a session and having a cookie is a bit redundant?
Can I use PHP sessions alone to accomplish these two tasks?
EDIT: To clarify - I set a PHP session variable on the login.php page. If you try to access the cms.php page, it will check to see if that session variable exists. If not, it knows you didn't come from the login page and it will redirect you.
I was under the impression that PHP sessions were destroyed when the browsing session ends, and I was using JavaScript to do some other work, so I Googled 'how to set a cookie using javascript' and did it that way (having never set a cookie before). I don't want the user to have to login each time just because they closed their browser, so I set a cookie that lasts for 1 day. This way, when they hit login.php it redirects them to cms.php and that page sees the session variable has been set by login.php and allows the redirect.