The right way to do a login script

[vlad]

OK, I've seen this in many places, but neither was thorough, as it often happens with quick and sloppy tutorials. So, please enlighten me with a simple and up-to-date snippet that does login and logout. Specifically, I would like to check in index.php if the user is logged in and display text accordingly. If you redirect me to something, please confirm that it is accurate, up-to-date and fairly secure code. I am learning and would like to do this the right way.

Thank you.

[slipperyfish]

well, im no PHP-whizz! but i find PHP sessions are the easiest way. I store their user information in a database when they register. and when they login, the database is checked for their info, if it exsists i set the sessions with a few vital pieces of user info, like username, password, name, status level etc. then the if i run to check if they are logged in is:

[code]
if (isset($_SESSION["password"])) {

... they are logged in ...

} else {

... they are not logged in ...

}
[/code]

Im not really sure how safe or decent that method is, but i do know PHP sessions cannot be editted by users in the same way cookies can. perhaps someone could let me know how safe/good it is? .. but, as a basic login system, i think that's the wya to go ;)

[vlad]

But how do I set logged in state and, more importantly, what do I need to do when the user logs out?

[shortj75]

i will try to explain this the best i can
[code]
//ok here is your basic login on form i will not go into explaining this
//assuming you have the basic nowledge of html

//login.php
<center><table border=1>
<TH>Log-In
<tr><td>
<form method="post" action="authenticate.php">
User Id: <td>
<input type="text" name="id" vspace="7">
<tr><td>
Password:
<td>
<input type="password" name="pass" vspace="7">
<tr><td>
<input type="submit" value="Log-In"><input type="reset" value="Reset">

</form></th></TR></TD></TABLE></center>

[/code]

ok now i am gonna setup a mysql connect page to connect to your database

[code]

//connect.php

//ok now we are gonna log you in to your mysql database
//first you have to enter your database hosts name then your userid and password
mysql_connect('yourhost', 'your userid', 'yourpassword') or die('Could not connect.');
//now wehave to select a database and check to see if it exists
//and it is not found we will give ourself an error
if(!mysql_select_db('database name'))
    die('No database selected.');

[/code]
ok here is where everything gets logged in and you set your session variables

[code]

//authenticate.php


//ok here we include the  is the mysql connect page we did earlier
include 'connect.php';
//ok next we have to start sessions
session_start();
//now we have to grab the variables from login.php
$user = $_POST['id'];
$pass = $_POST['pass'];
//ok now we are gonna check to see that the user enter his/her userid and password
if((!$user) || (!$pass)){
//if the user forgot to enter there userid and or password we show them an error
//message and display the login.php page for them to try again
    echo "Please enter ALL of the information! <br />";
    include 'login.php';
    exit();
}

//here we are checking to see if the userid and password match a userid and password
//in your batabase
$sql = mysql_query("select * from your table here where youruseridcolumnname='$user' and yourpasswordcolumnname='$pass'"); //we are now call thebatabase table where all the
//userids and passwords are stored
$login_check = mysql_num_rows($sql);//here we are checking to see if they match
//if they match we are gonna call them up and log them in
if($login_check > 0){
    while($row = mysql_fetch_array($sql)){
    foreach( $row AS $key => $val ){
        $$key = stripslashes( $val );
    }
//ok now we are gonna set up some session variables these are very important
//with the session variables you can check to see if the user is logged on later
//and they are used to log the user out
         session_register('user');
        $_SESSION['user'] = $user;
        session_register('pass');
        $_SESSION['pass'] = $pass;
        session_register('email');
        $_SESSION['email'] = $email;

//now that the user is logged in and session variables are set we will redirect the
//user to your indexpage
    
        print "<META HTTP-EQUIV = 'Refresh' Content = '0; URL =index.php'>";

    }
  }
// now if the user could not belogged in we display an error message and the
//login.php form for them to try again
else
{
    echo "You could not be logged in! Either the username and password do not match or you have not validated your membership!<br />
    Please try again!<br />";
    include 'login.php';
}  
[/code]


now we check to see if the user is logged in whith you index.php page

[code]


//first we start sessions you must do this at the top of every page in order for sessions to work
session_start();

//now we check to se if the user is logged in by useing the session variables we creatwed earlier
//by call for the $_SESSION['user'] variable
if(isset($_SESSION['user'])){ //if the sessionvariable was created you will now display your index page
welcome to my site and so forth
}
//and if the session variable was not created which means the user didnt log in we give them an error
else{
echo "sorry you cannot view this page because you have failed to log in";
//and now we display your login.php page
include 'login.php
}

[/code]
sorry it wont lit me post the logout part for some reason but you can get all of what is here plus the logout part [a href=\"http://tfws.dynu.com/loginlogouttut.php\" target=\"_blank\"]here[/a]