nvee Posted November 1, 2009 Share Posted November 1, 2009 I am on the brink of having a breakdown. I have a assignment which was due on Friday, and here, Sunday evening, I find myself struggling with the user login system I REALLY REALLY REALLY hope someone can help me with this one! Before hand, I am very new with PHP and have never used sessions in any form before, I have a slight idea how it works, but i am clearly doing something wrong, and google scripts appear to be to fancy for a beginner like myself Good, just some info: I have a single username and password stored in a config.php file, variable names $username and $password There is a single login page called login.php - It runs with a simple form which action="login.php" where on the first line of the code the following appears: The script first checks if the login button was pressed, then validates the username and password, then if pass, it creates the session... And then routes the user to the admin.php page. <?php require_once("includes/config.php"); if($_POST["LOGIN"] == "LOGIN") { $usern = $_POST["username"]; $passw = $_POST["password"]; } if($usern != $username OR $passw != $password) { $fail = "Your username and password combination is incorrect, please try again!"; } else { session_start(); $_SESSION["username"] = $username; $_SESSION["password"] = $password; $_SESSION["admin"] = "true"; header("location:admin.php"); } ?> On my admin pages or "password secure" pages I have this code at the top: It think its pretty straight forward what this does. <?php require_once("includes/config.php"); session_start(); if(!isset($_SESSION["admin"])) { header("location:login.php"); } ?> Lastly, on my logout page, I have the following code: <?php require_once("includes/config.php"); session_start(); $_SESSION["admin"] = ""; session_destroy(); header("location:index.php"); ?> My questions are: As a beginner to sessions I understand there are certain security risks, and I assume my code is the best example of that. Am I doing the session thing right here? I know this sounds stupid, but it "appears" to work but I also rather would want it to work correctly and with guidelines to remember than the way it is now. When I click on the login link, it would log in before I actually log in. I hope this makes sense. I assume it has something to do with my code at the top of the login.php page. To me it appears that it creates the session without going through the if/else stipulated there. It is either that or it never actually destroys the session when I click on LOGOUT. Hell, either way it can be a issue Any assitance? As I said it would appear to work, but does anyone have a guideline of how to correctly use sessions with user management? I heard somewhere that it is a good way to combine cookies and sessions when working with logins and user management. Is this correct? Can anyone possibly shed some light on this topic? I apologise for these stupid questions, and really appreciate any help I can get. Thanks in advance. Link to comment https://forums.phpfreaks.com/topic/179854-the-old-session-issue/ Share on other sites More sharing options...
nvee Posted November 1, 2009 Author Share Posted November 1, 2009 As an update, I changed my code on the "admin pages" to: <?php require_once("includes/config.php"); session_start(); if($_SESSION["username"] != $username OR $_SESSION["password"] != $password) { header("location:login.php"); } ?> I figured it maybe more secure than just checking if the $_SESSION['admin'] actually is set. Link to comment https://forums.phpfreaks.com/topic/179854-the-old-session-issue/#findComment-948797 Share on other sites More sharing options...
nvee Posted November 1, 2009 Author Share Posted November 1, 2009 anyone? Link to comment https://forums.phpfreaks.com/topic/179854-the-old-session-issue/#findComment-948844 Share on other sites More sharing options...
redarrow Posted November 1, 2009 Share Posted November 1, 2009 <?php session_start()// can only go at the top of a page.... ?> Any code that does not use a database, can be bad news, in my opinion. when session's are secured in a database then it really secure. you need to read on unset($_SESSION['name']); also you need to use other sub functions of sessions to understand it all. get you going. http://www.tizag.com/phpT/phpsessions.php if you need to no more advance session work then use php.net Link to comment https://forums.phpfreaks.com/topic/179854-the-old-session-issue/#findComment-948852 Share on other sites More sharing options...
nvee Posted November 2, 2009 Author Share Posted November 2, 2009 thanks redarrow. Well the project provided to us already had a preset database, and we we're asked to only do user management per file as there was no table in the db for users. But I am with you on that, I will read into it. Just to understand correctly, when I say session_start() for argument sake on my login page, and then also declare the session variables, I say session_start() again on another "admin content page", then I do a if statement to check that the session variables are set and correct according to the sessions variables in a database? I think what got me was the actual term session_start() as it confuses you to think that a new session is started at the top of each page. How does PHP know that you're using the same session the whole time? I also read somewhere that its a good idea check what the sessionID is, and then do a if statement to make sure that the sessionID is infact the same one started, but not sure how that works. Link to comment https://forums.phpfreaks.com/topic/179854-the-old-session-issue/#findComment-949154 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.