Login

[akrytus]

Ok, I searched for this and found nothing to help me, so I appologize if this was posted before and I missed it. 

I have a company web page, www.nocrs.net, that I am working on and need a member login.  I have created it and it works but I think I found an alternative to what I should have done.

My way:

[code]
function index(){
  // Load standard index page}

function member(){
  // Load member page}

function invalid(){
  // Load invalid user page}

function checklogin(){
  // Check dbase for user validation}

function cookie(){
  // Create cookie if user login validated}



// Begin of PHP page
    if ($_SERVER['REQUEST_METHOD'] != 'POST'){index();}
else{
  if(isset($_COOKIE["login"])){cookie();}
  else{checklogin();}}
[/code]


Basically each funtion holds a webpage.  If the validation is met then load the member webpage, if not load the invalid webpage, if no submit, then load the index webpage.  So basically I have 3 pages using the same index.php file.

Could someone explain to me the way I should do this!  I know a little bit, like use session variables and cookies, and how they work, dont know how to get them to work.  When I try to use session variables, it always says session already open or sent cant remember. 

I guess I dont know how to load a new page once the validation has been done and what keeps people from browsing to restricted pages and restricting access to them with out proper validation.  Assume I am stupid and tell me everything you know,  PLEASE!!!!

[Ninjakreborn]

I don't care what anybody tells you, you have absolutely no reason to need to use cookies "with" sessions.  If you change the php ini settings to max session cookie lifetime, it automatically set's a cookie on the computer, then allows it to pass the session id around.  It traps it in the url when they come back to visit, and passes it around, you can test it for yourself, login's are really nothing, have 1 page that they login at.  check the db for username and password, (with hashign or whatever precautions you take.
if they match, register the sessions with
$_SESSION['whatever'] = whatever
php.net claims session_register as outdated so I wouldn't use it
then at the top of each page throw in
session_start();
I have 1 sessions normally called controller, set to true
then If i want something to display or not to display for people who are logged in or out I say
if ($_SESSION['controller'] == true) {
if I want it to display and
!= true if I don't want it to display, like if they can login, after that above login I put
if ($_SESSION['controller'] != true) {
// show login form, information to login with
}else {
// show link to logout, or whatever
}
when you are ready for them to logout
throw out
session_destroy();
on the logout page and that's it they can no longer go to the password protected pages.

[akrytus]

Ok, that helps me understand the sessions better, thankyou for your response.

I still have 2 questions:

1. What exactly protects the web pages from being visited without logging in? 

2. Once you find out that the member is validated you said start the session, but then how do you forward to the member page?  Put up a link for them to click on once validated?  Can you automate it?

[Ninjakreborn]

you can use header if you want to relocate, I just normally leave them on the homepage in the logged in form.  As far as password protected entire pages
if (isset($_SESSION['username']) {
// entire page

}else
// you are not logged in
}
for a quick way
2 other ways could be
at the top
if (empty[$_SESSION['username']) {
// exit the thing
then relocate them, or whatever
}
there are hundreds of ways to do it literally
and for the relocation

[code]header('Location: ' . $page);[/code]
WIth page being set to the url of the page you want them to go to, you can use relative url's as well.
in this situation, whenever the script hits that line though it automatically redirects, so be careful where you place it, or you can cut off some of the important parts of your script.
BUt that will redirect them to whatever page you want.

[akrytus]

Thanks I will give it a try!

[akrytus]

I apparently am a little confused.

You said [quote]if (isset($_SESSION['username'])[/quote]

Now if this is on top of my protected web pages, wouldnt this always be true, because how else would have you gotten there without having started a session?  Should this be:

[code]
// Login
$_SESSION['whatever'] = "whatever"

[/code]

[code]
// Protected webpage
if($_SESSION['username']="whatever"){
  // entire page}

else {
  // Invalid User}
[/code]

[Ninjakreborn]

if they never logged in they never gained that session.
The thing you put is the same thing I put just wrote differently.  No they can come to the page if they wanted.  ANyway just by typing it in the url, so either way would work, personal preference, mostly.

[akrytus]

Ok, sorry to keep bothering you, I really appreciate your help, but..................

When I destroy the session on the protected page I get:

Warning: session_destroy() [function.session-destroy]: Trying to destroy uninitialized session

So I took your advice and put a start_session at the top of that page and i get:

Warning: session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started

[Ninjakreborn]

VERY top of the page before any includes or anything right?

[akrytus]

Oops, html tags were on top! Thanks again.

[Ninjakreborn]

Nothing above, nothing at all.  Nothing but top of document
<?php
that is it, it has to come directly after that
if you some much as piss in the area above it, the headers are already sent.

[akrytus]

Ok, I have it all working, I log in and visit the secure page fine, but if I click on a link away, then try to revisit the secure page, I loose all the session data.  How do I prevent that? The idea is to login, view both secure and non-secure pages until user logs off.