Jump to content

PHP logins and session data

gamblor01

By gamblor01
in PHP Coding Help

 Share

Recommended Posts

gamblor01 Newbie

gamblor01

Posted
Posted

Hi folks, I have a few random questions surrounding a PHP login application and passing session data around between pages.  I started by following this tutorial, which seemed pretty good:

 

http://www.phpeasystep.com/phptu/6.html

 

This isn't my first time using MySQL or PHP, so I was able to get things up and running within minutes.  But then I decided to try adding some real functionality.  For example, I wanted the "login_success.php" page to have a few functions on it:

 

1. Be able to change the user's password

2. Be able to create a new user

3. Logout

 

I got the logout to work just fine -- I can either display a "logout" confirmation page (with a link to go back to the main login screen), or just perform a redirect back to the main PHP page (main_login.php).  Either one works.

 

What I need help with is performing password changes and creating users.  So let's take a look at my concerns with each one:

 

1. changing passwords:

- I should only be able to change the current user's password.  Therefore, I need to know the username in the current session.

- A user should only be able to reach this page if they successfully logged in (and therefore have a valid session).

 

2. adding users

- Again, a user should only be able to reach this page if they successfully logged in (and I will handle "admin" users exclusively having access to this page later).

 

 

I see that the login_success.php page from the above tutorial has this code at the top:

 

<?
session_start();
if(!session_is_registered(myusername)){
header("location:main_login.php");
}
?>

 

 

So my questions are:

 

1. Should I use this same code at the top of every page I wish to prevent "unauthorized" access to (i.e. the user needs to be logged in)?  If not, how to protect pages like that?

 

2. What is the best way to pass session data around between pages?  I looked at this tutorial:

 

http://php.net/manual/en/function.session-start.php

 

but the SID variable doesn't seem to work in my environment (PHP Version 5.2.6-3ubuntu4.5) like that page shows.  Instead I have to save the result of session_id() to a variable.  But should I be passing the session variable around between pages like this?  Let's say I have a form in adduser.php which has 2 fields (new password and confirm password).  Then the submit button calls adduser2.php?sessionIDHere.  Then of course, the adduser2.php page will compare the two passwords, create a connection to mysql, and update the members table.

 

Is this the best way to be changing pages (just simple <a href> hyperlinks)?  It doesn't seem like it because then my session ID is up in the location bar of the browser.  I have seen redirects done like this:

 

header("location:someOtherPage.php");

 

Is it possible to pass session data around around using the header function?

 

 

 

Sorry, I know there is a lot going on here, but it's really just the two questions...sort of.  :)

Link to comment
https://forums.phpfreaks.com/topic/189576-php-logins-and-session-data/
Share on other sites
teamatomic Newbie

teamatomic

Posted
Posted

1. Yes

2. You dot need to play with the SID. Just save the data you need to session vars and then retrieve it as needed.

3. Skip the create user. Why would you want a registered user to create another user? It would be better for you to make a "tell a friend" kind of thingy.

4. As long as you save something to session, $_SESSION['username']=$username, it is available to any subsequent page that you start with session_Start() so there is no reason to worry about passing data from page to page, that kinda defeats one of the purposes of sessions, persistent data.

5. as to your password changing. I would make the fields:

current password

newpass

newpassagainthe match the current password agains the pulled password of the current user registered to the session. Then change the password if the match is OK.

 

 

HTH

Teamatomic

gamblor01 Newbie

gamblor01

Posted
  • Author
Posted

Thanks teamatomic...I'll try some of your suggestions out today and see how it goes.

 

Just FYI, the reason why I wanted to allow one user create another user is:

 

a) Just to verify that I can actually write something useful...it's just a test I wanted to do

 

b) I would eventually like to create a pages (or pages) that offer "admin" access.  Essentially I want the content management to be built into the page, so I can create a page for someone, and then they can update the content contained in that page without having any knowledge of PHP or HTML (or maybe they just have a very basic understanding of HTML).  Being able to create users is just a step in that direction.

 

 

But I'll try out your suggestions right now and see how it goes.  I guess I misunderstood the point of session_start().  It was my understanding that it was only supposed to be called on the page that started the session, but I guess you have to use it on every page contained in the session?  If so, then the function name is a bit of a misnomer -- I'm not starting a session but continuing an existing one!

 

In any case, thanks for the help so far.  :)

laffin Newbie

laffin

Posted
Posted

yes, but php doesnt know that :)

session_start - used before any display code, so php can get a cookie from the client with their session id, if cookie doesnt exist, it creates a new one.

 

sessions are defaulted to expire once the client closes their browser, but you can change the expiry period, for say 7 days. so even if they close their browser, they can return to a page without physically login.

 

 

gamblor01 Newbie

gamblor01

Posted
  • Author
Posted

Cool...looks like I got things working.  If you look at main_login.php in the tutorial from my first post, it does an HTTP POST in the form.  The action is to call checklogin.php.  Inside of checklogin.php I can save away the username in the session info (once I have verified the correct password) like so:

 

// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1)
{
  // save username away in the session
  $_SESSION['myusername'] = $myusername;

  // Register $myusername, $mypassword and redirect to file "login_success.php"
  session_register("myusername");
  session_register("mypassword");
  header("location:login_success.php");
}
else
{
  echo "Wrong Username or Password";
}

 

 

And it works now!  Later I can retrieve the username just by checking $_SESSION['myusername'].  :)

 

I'm not sure what the difference is between setting a variable in $_SESSION vs. calling session_register() though.  If anyone knows I guess that would be my last question on this for now.  According to the manual, session_register() is deprecated and using $_SESSION is now preferred.  Apparently they are supposed to be equivalent:

 

http://php.net/manual/en/function.session-register.php

 

That's strange because you can see that the original code uses this line:

 

session_register("myusername");

 

and yet I wasn't able to pull the value of $_SESSION['myusername'] until I explicitly set it using

 

$_SESSION['myusername'] = $myusername;

 

Thus, in my experience the two calls:

 

session_register("myusername");

 

and

 

$_SESSION['myusername'] = $myusername;

 

 

Are NOT equivalent!

 

 

So can someone answer the following:

 

1. Is assignment via $_SESSION['key'] = value and session_register() supposed to be equivalent?

 

2. Could I change the "protection" at the top of each page from this:

 

<?php
session_start();
if(!session_is_registered(myusername)){
header("location:main_login.php");
}
?>

 

to this?

 

<?php
session_start();
if(!$_SESSION['myusername']){
header("location:main_login.php");
}
?>

 

Are those equivalent?

laffin Newbie

laffin

Posted
Posted

From my understanding session_register main difference is it automatically starts session_start.

but reading the manual further, you will also notice its a bad idea to intermix $_SESSION and session_register, since session_register is deprecated, its best to use $_SESSION and other built in functions.

such as

<?php
session_start();
if(!is_set($_SESSION['myusername']))
{
header("location:main_login.php");
}
?>

 

using isset to detect session variables existance is better than testing the variable for empty, as you dont generate a php warning error (Index not found).

 

I've always used $_SESSIONS, just as habit.

 

isset($_SESSION[x]) is equivalent to session_is_registered

unset($_SESSION[x]) is equivalent to session_unregister

unset($_SESSION) is equivalent to session_destroy (but the session id remains the same).

 

but as long as you check variables in the $_SESSION against other variables, you can design a pretty secure system.

 

 

gamblor01 Newbie

gamblor01

Posted
  • Author
Posted

Thanks laffin!  Great info.  I changed all of my pages over to use the isset() function instead of session_is_registered() and it works perfectly.  FYI you have a typo in your code block...it says "is_set($_SESSION)" instead of "isset($_SESSION")" -- but I knew what you meant.  ;)

 

 

Thanks everyone...I know have this working where I can add users or change passwords -- and both have error checking and everything works great!  Looks like I have my work cut out for me.  I have some pages to design.  :D

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.