Drongo_III Posted May 1, 2011 Share Posted May 1, 2011 Hi Guys New to php so stick with me. I'm trying to create a simple login script that will grant a user access to content that is only viewable by those people who are logged in. I'm ok doing the login part and authenticating the password etc. But once the user gets directed to the content page how can I ensure that only a registered user who is logged in sees that page? (probably missing something very obvious here). I've tried reading around but not found much on this specific question. Should I set the user's username and password (which is encrypted) as session variables and authenticate them as the first stage of each page they visit? Or is there a better way of doing this? Don't worry, not looking for you to write the code just a description of the best way of doing it would be great! Thanks, Drongo Quote Link to comment Share on other sites More sharing options...
fugix Posted May 1, 2011 Share Posted May 1, 2011 You could use $_session['id'] which is a unique I'd that you van assign each user that is registered. You can then use that to see if the session Id is set. If it isn't, you can use header() to redirect the unregistered users to the login/register page. Hope this helps Quote Link to comment Share on other sites More sharing options...
Drongo_III Posted May 1, 2011 Author Share Posted May 1, 2011 Thanks That makes a lot of sense. If I wanted to track a specific user - lets say I wanted them to be able to post an entry on the site - would it be bad practice to use their username and/or their encrypted password as session variables to track them as them? You could use $_session['id'] which is a unique I'd that you van assign each user that is registered. You can then use that to see if the session Id is set. If it isn't, you can use header() to redirect the unregistered users to the login/register page. Hope this helps Quote Link to comment Share on other sites More sharing options...
cs.punk Posted May 1, 2011 Share Posted May 1, 2011 I don't really see reason to store there password in a session, a username is fine though, and track them through their user id and all should be fine . Quote Link to comment Share on other sites More sharing options...
Drongo_III Posted May 1, 2011 Author Share Posted May 1, 2011 That's great. Out of interest. If I perform the check outlined above to see if session ID isset are there any potential security issues with just performing that check? OR should i also do additional checks? Thanks for all your help btw guys! I don't really see reason to store there password in a session, a username is fine though, and track them through their user id and all should be fine . Quote Link to comment Share on other sites More sharing options...
fugix Posted May 1, 2011 Share Posted May 1, 2011 you can store their username in a session yes...but you should make sure that each username is unique...or you can track them by their $_SESSION['id'] as well...whichever you prefer Quote Link to comment Share on other sites More sharing options...
fugix Posted May 1, 2011 Share Posted May 1, 2011 take a look at this Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted May 1, 2011 Share Posted May 1, 2011 you can store their username in a session yes...but you should make sure that each username is unique...or you can track them by their $_SESSION['id'] as well...whichever you prefer Only if you've actually assigned the value of session_id() to $_SESSION['id']. Quote Link to comment Share on other sites More sharing options...
fugix Posted May 1, 2011 Share Posted May 1, 2011 Only if you've actually assigned the value of session_id() to $_SESSION['id']. you are right pickachu...sorry for forgetting to clarify that Quote Link to comment Share on other sites More sharing options...
gizmola Posted May 1, 2011 Share Posted May 1, 2011 When you do session_start() people get a session id. That is not enough. When the user completes the login process, then you should set a session variable. Frequently, people will set it to be the user table id, or something similar. Checking for the existence of that variable is a good way to insure that people are actually logged in. Quote Link to comment Share on other sites More sharing options...
Drongo_III Posted May 1, 2011 Author Share Posted May 1, 2011 Thanks guys! This is all becoming much more clear to me now! Afraid I have more noob questions to ask but I'll post these in a separate thread. V much appreciated! Quote Link to comment Share on other sites More sharing options...
cs.punk Posted May 2, 2011 Share Posted May 2, 2011 That's great. Out of interest. If I perform the check outlined above to see if session ID isset are there any potential security issues with just performing that check? OR should i also do additional checks? Thanks for all your help btw guys! You do not, as the variable is set by the PHP interpreter, so no security risk. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.