Jump to content

Session question


Drongo_III

Recommended Posts

Hi Guys

 

New to php so stick with me.

 

I'm trying to create a simple login script that will grant a user access to content that is only viewable by those people who are logged in.

 

I'm ok doing the login part and authenticating the password etc. But once the user gets directed to the content page how can I ensure that only a registered user who is logged in sees that page? (probably missing something very obvious here). I've tried reading around but not found much on this specific question.

 

Should I set the user's username and password (which is encrypted) as session variables and authenticate them as the first stage of each page they visit?  Or is there a better way of doing this?

 

Don't worry, not looking for you to write the code just a description of the best way of doing it would be great!

 

Thanks,

 

Drongo

Link to comment
Share on other sites

You could use $_session['id'] which is a unique I'd that you van assign each user that is registered. You can then use that to see if the session Id is set. If it isn't, you can use header() to redirect the unregistered users to the login/register page. Hope this helps

Link to comment
Share on other sites

Thanks

 

That makes a lot of sense.

 

If I wanted to track a specific user - lets say I wanted them to be able to post an entry on the site - would it be bad practice to use their username and/or their encrypted password as session variables to track them as them?

 

 

You could use $_session['id'] which is a unique I'd that you van assign each user that is registered. You can then use that to see if the session Id is set. If it isn't, you can use header() to redirect the unregistered users to the login/register page. Hope this helps

Link to comment
Share on other sites

That's great.

 

Out of interest. If I perform the check outlined above to see if session ID isset are there any potential security issues with just performing that check? OR should i also do additional checks?

 

Thanks for all your help btw guys!

 

 

I don't really see reason to store there password in a session, a username is fine though, and track them through their user id and all should be fine ;).

Link to comment
Share on other sites

you can store their username in a session yes...but you should make sure that each username is unique...or you can track them by their $_SESSION['id'] as well...whichever you prefer

Link to comment
Share on other sites

you can store their username in a session yes...but you should make sure that each username is unique...or you can track them by their $_SESSION['id'] as well...whichever you prefer

 

Only if you've actually assigned the value of session_id() to $_SESSION['id'].

Link to comment
Share on other sites

When you do session_start() people get a session id.  That is not enough.  When the user completes the login process, then you should set a session variable.  Frequently, people will set it to be the user table id, or something similar. Checking for the existence of that variable is a good way to insure that people are actually logged in.

Link to comment
Share on other sites

That's great.

 

Out of interest. If I perform the check outlined above to see if session ID isset are there any potential security issues with just performing that check? OR should i also do additional checks?

 

Thanks for all your help btw guys!

 

 

You do not, as the variable is set by the PHP interpreter, so no security risk.  ;)

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.