What best practices should be followed when designing and implementing a secure login system in PHP to prevent session variable overwriting and unauthorized access?

To prevent session variable overwriting and unauthorized access in a PHP login system, it is important to use secure coding practices such as validating user input, using prepared statements for database queries, and implementing proper session management techniques. Additionally, using encryption for sensitive data and implementing CSRF tokens can further enhance the security of the login system.

<?php
session_start();

// Validate user input
$username = $_POST['username'];
$password = $_POST['password'];

// Use prepared statements for database queries
$stmt = $pdo->prepare("SELECT * FROM users WHERE username = :username AND password = :password");
$stmt->bindParam(':username', $username);
$stmt->bindParam(':password', $password);
$stmt->execute();
$user = $stmt->fetch();

if ($user) {
    // Set session variables
    $_SESSION['user_id'] = $user['id'];
    $_SESSION['username'] = $user['username'];
    $_SESSION['logged_in'] = true;
    // Redirect to secure page
    header('Location: secure_page.php');
    exit();
} else {
    // Invalid login credentials
    echo 'Invalid username or password';
}
?>